Splunk Search

Remote and Local CLI search only returns 100 events

vcarbona
Path Finder

Here's my CLI search:

SPLUNK_URI=https://splunk_search_head:8089

/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?

Here's the saved search:

sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*

However, when I do the following CLI search locally, I do get 10000 results:

/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

But when running remotely, I only get 100 results. Is there a special setting I'm missing here?

Any help is appreciated. -vc

Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

Yes, there is a known bug when using -output csv. I believe this affects 4.1.4 and earlier (which is the current version).

Not directly your question, but if you are able to use the | outputcsv search command to write your results to a $SPLUNK_HOME/var/run/splunk on the local machine and access them from there, that will run much faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.

Stephen_Sorkin
Splunk Employee
Splunk Employee

A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.

vcarbona
Path Finder

The comment above refers to running searches both locally and remotely.

vcarbona
Path Finder

There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...