Re: How to change the max line length parameter be...

matthieu_araman · ‎06-24-2015

Hello,

I'm doing such a search:

mysearch | stats dc(ip) as countip, values(ip) as valuesip | where countip > xxx | table countip,valuesip

Then either export results via the UI or scheduling and sending the csv results.

The number of returned rows is a few lines (<100)
countip max is about 6000 so the valuesip field may contain a list of 6000 ips

In the Splunk Web UI, it looks correct.
In the csv file, when I look at it in a text editor, I see the line breaks at 991 characters.
Results are not truncated, but they are on the second line and so on.

Obviously, when opening the csv file, it produces garbage ...

So I need to change the "max line length before adding a new line character when exporting by csv" parameter?

I couldn't find which setting it is.

Any idea?

matthieu_araman · ‎06-24-2015

tested on another splunk instance and doesn't seem limited this time

testcase
* | stats dc(dest_ip) as countip,values(dest_ip) | sort limit=1 - countip
have more than 8000 results
csv file is two lines
header
one 123000 length line -> good

the one with the pb has many parameters set -> still trying to find which one manage this

fdi01 · ‎06-24-2015

in limits.conf file, try like this :

 [restapi]
     # maximum result rows to be returned by /events or /results getters from REST API  
     maxresultrows = 60000

Increase that value to the desired maximum number of events,
This configuration option should affect the number of results exported for a table.

matthieu_araman · ‎06-24-2015

Hello,

this problem is not row depending as it can occurs with only one row.
As noted initially, I've very few raws for this search but can have a list of several thousands ip as a value.

For another report, I've already upped maxresults, maresultrows to 1M and the maresults in a csv atteched to email to 50k -> I don't think this is the limiting factor.

as line are wrapped to 991 characters, there may be a setting around 1000 ?
I've looked as 1000 values in limits.conf without success but I may have missed the good one.

vinitatsky · ‎06-24-2015

alt textWhile exporting the results - select 'Number of Results' to 'Unlimited'.alt text

Hope it helps.

matthieu_araman · ‎06-24-2015

already doing this, I think it just adjust number of returned rows
I've got other reports with more than 10k rows running ok (already upped this limit to 50k)
I'm only doing the export via ui for debugging, I will automatically send as csv by email

vinitatsky · ‎06-24-2015

In limits.conf - there is one configuration value i.e.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Limitsconf

[associate]
maxvaluesize =
* Maximum length of a single value to consider.
* Defaults to 1000.

Can you check this value and give it a try?

matthieu_araman · ‎06-24-2015

Will try.

But the cell value is not really truncated but spread over multiples rows in the csv...

How to change the max line length parameter before adding a line break for exporting by CSV?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024