Splunk Search
Highlighted

Remote and Local CLI search only returns 100 events

Path Finder

Here's my CLI search:

SPLUNK_URI=https://splunk_search_head:8089

/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?

Here's the saved search:

sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*

However, when I do the following CLI search locally, I do get 10000 results:

/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk

But when running remotely, I only get 100 results. Is there a special setting I'm missing here?

Any help is appreciated. -vc

Tags (2)
Highlighted

Re: Remote and Local CLI search only returns 100 events

Path Finder

There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?

Highlighted

Re: Remote and Local CLI search only returns 100 events

Path Finder

The comment above refers to running searches both locally and remotely.

Highlighted

Re: Remote and Local CLI search only returns 100 events

Legend

Yes, there is a known bug when using -output csv. I believe this affects 4.1.4 and earlier (which is the current version).

Not directly your question, but if you are able to use the | outputcsv search command to write your results to a $SPLUNK_HOME/var/run/splunk on the local machine and access them from there, that will run much faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.

Highlighted

Re: Remote and Local CLI search only returns 100 events

Motivator

A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.