Splunk Search

search returns only 50000 events, even if maxEvents is specified

We are just trying to handle a worst case where number of events crosses 50,000.
I am using python "splunk.search.dispatch" as below

searchjob = splunk.search.dispatch("search index=our_index earliest=-7d@d",sessionKey=sessionkey,hostPath=self.baseurl,maxEvents=30000000)

After the job is done job status contain
eventAvailableCount as 646890
eventCount as 646890

After that when i use, searchjob.getFeed to get result in csv mode as below
searchjob.getFeed(mode='results', outputMode='csv',count=0)

It only return 50,000 events. But it should return 646890 events.

Please let me know whether I have to pass any additional arguments to getFeed method.. or is there any other way to achieve my requirement

0 Karma

Below Code helped me to get my requirement

searchjob = splunk.search.dispatch("searchquery",sessionKey=sessionkey,hostPath=baseurl,earliestTime=earliestTime,latestTime=latestTime,maxEvents=30000000)
resultCount = searchjob.resultCount
offsetValue = 0
searchresults = ""
while offsetValue < resultCount:
searchresults = searchresults + str(searchjob.getFeed(mode='results', outputMode='csv',count=49999,offset=offsetValue))
offsetValue = offsetValue + 49999

0 Karma

Pagination while reading the result from job helped me. Thanks
http://dev.splunk.com/view/SP-CAAAECN#entitiescollections