Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Splunk query returns fewer results than expected - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Splunk query returns fewer results than expected
I am using this command to get top 200 results from Splunk on my_field:

q = "search index=idx host=nets* mydomain.com | top limit=200 my_field"
When I run this in Splunk, it gives me 200 results. However, when I run it using the <a href=https://mindmajix.com/splunk-training>Splunk</a> Python SDK, I get only 100 results.

service = client.connect(host=HOST, username=USER, password=PASS)

extra_args = {"earliest_time": "-1h",
"latest_time": "now"}

q = "search index=idx host=nets* mydomain.com | top limit=200 my_field"
res = service.jobs.oneshot(q, **extra_args)

reader = results.ResultsReader(res)
top_jobs = []

for row in reader:
top_jobs.append(row['my_field'])

print len(top_jobs) # always returns 100, or any number less than 100 that is specified in the query.
Is there any other way to specify the number of results?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!