Splunk Search

Remote and Local CLI search only returns 100 events

Path Finder

Here's my CLI search:


/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?

Here's the saved search:

sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*

However, when I do the following CLI search locally, I do get 10000 results:

/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

But when running remotely, I only get 100 results. Is there a special setting I'm missing here?

Any help is appreciated. -vc

Tags (2)

Splunk Employee
Splunk Employee

Yes, there is a known bug when using -output csv. I believe this affects 4.1.4 and earlier (which is the current version).

Not directly your question, but if you are able to use the | outputcsv search command to write your results to a $SPLUNK_HOME/var/run/splunk on the local machine and access them from there, that will run much faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.

Splunk Employee
Splunk Employee

A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.

Path Finder

The comment above refers to running searches both locally and remotely.

Path Finder

There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?