Splunk Search
Highlighted

Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

New Member

I'm using Splunk's Java SDK to get Splunk events, and the problem I'm facing is that Splunk only returns a maximum of 100 events, even if the search originally contains more than 100 events. How can I get all the events instead of just the 100 latest ones ?

I'm calling a one-shot search like this:

ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername(USERNAME_HERE);
loginArgs.setPassword(PASSWORD_HERE);
loginArgs.setHost(HOSTURL_HERE);
loginArgs.setPort(PORT_HERE);

HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);
Service service = Service.connect(loginArgs);
String searchQuery_normal = SEARCH_STRING_HERE;
JobArgs jobargs = new JobArgs();
jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
Job job = service.getJobs().create(searchQuery_normal, jobargs);

//job only contains 100 events maximum

Doing an online search revealed that doing this before calling the search might help, but it doesn't -- I still get only 100 of the newest events, not all:

jobArgs.setAutoFinalizeEventCount(0);
0 Karma
Highlighted

Re: Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

Engager

Using the Java SDK, you can pass a JobResultsArgs object to the Job's getResults() method. Specify the count as 0 to return all available results, instead of just 100 (the default setting).

JobResultsArgs jobResultsArgs = new JobResultsArgs();
jobResultsArgs.setCount(0);
InputStream resultsNormalSearch = job.getResults(jobResultsArgs);

Then you can use the ResultsReaderXml to iterate through all the available events. However, this is still limited to the server's default configuration setting of max 50,000, or whatever it's set to.

For more info, see setCount method in JavaDocs for the Splunk SDK for Java:
http://docs.splunk.com/DocumentationStatic/JavaSDK/1.5.0/com/splunk/JobResultsArgs.html#setCount(int...