Solved: Show Source and save as CSV truncate large events?

pde · ‎09-13-2010

I have records that consist of fairly large (200+ lines, > 20 Kb per record) XML documents.

When I export the results of a search for these records to CSV, the _raw cell is truncated; the full record is not written to the _raw cell (note: not an Excel issue. The records are not larger than the 32K-1 byte Excel maximum, and editing the CSV directly shows that the record is indeed truncated).

The records are similarly truncated in a "Show Source" view.

What gives?

Thanks

-Pete

steveyz · ‎09-16-2010

When the UI typically issues a request for events, it will ask the backend to truncate long events above a certain number of lines. My guess is that this limit is in force even for show search and export as csv from the UI, because they share a common access point. To get around this issue, you can append "| outputcsv <filename>" to the end of your search, and the full csv file should be written out to $SPLUNK_HOME/var/run/splunk/<filename>

View solution in original post

steveyz · ‎09-16-2010

When the UI typically issues a request for events, it will ask the backend to truncate long events above a certain number of lines. My guess is that this limit is in force even for show search and export as csv from the UI, because they share a common access point. To get around this issue, you can append "| outputcsv <filename>" to the end of your search, and the full csv file should be written out to $SPLUNK_HOME/var/run/splunk/<filename>

pde · ‎09-17-2010

Interesting. The main UI displays the full event...

The solution works, but is of little use to my users, who do not get shell access to the server. I suppose an enhancement is in order.

Show Source and save as CSV truncate large events?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk