Splunk Search

Remote and Local CLI search only returns 100 events

vcarbona
Path Finder

Here's my CLI search:

SPLUNK_URI=https://splunk_search_head:8089

/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?

Here's the saved search:

sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*

However, when I do the following CLI search locally, I do get 10000 results:

/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

But when running remotely, I only get 100 results. Is there a special setting I'm missing here?

Any help is appreciated. -vc

Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

Yes, there is a known bug when using -output csv. I believe this affects 4.1.4 and earlier (which is the current version).

Not directly your question, but if you are able to use the | outputcsv search command to write your results to a $SPLUNK_HOME/var/run/splunk on the local machine and access them from there, that will run much faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.

Stephen_Sorkin
Splunk Employee
Splunk Employee

A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.

vcarbona
Path Finder

The comment above refers to running searches both locally and remotely.

vcarbona
Path Finder

There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...