Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Remote and Local CLI search only returns 100 events

vcarbona
Path Finder
‎08-06-2010 03:31 AM

Here's my CLI search:

SPLUNK_URI=https://splunk_search_head:8089

/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?

Here's the saved search:

sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*

However, when I do the following CLI search locally, I do get 10000 results:

/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

But when running remotely, I only get 100 results. Is there a special setting I'm missing here?

Any help is appreciated. -vc

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-07-2010 08:25 PM

Yes, there is a known bug when using -output csv. I believe this affects 4.1.4 and earlier (which is the current version).

Not directly your question, but if you are able to use the | outputcsv search command to write your results to a $SPLUNK_HOME/var/run/splunk on the local machine and access them from there, that will run much faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.

Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-08-2010 06:13 PM

A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.

Reply

vcarbona
Path Finder
‎08-06-2010 08:33 PM

The comment above refers to running searches both locally and remotely.

Reply

vcarbona
Path Finder
‎08-06-2010 06:07 PM

There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...