Solved: Show Source and save as CSV truncate large events?

pde · ‎09-13-2010

I have records that consist of fairly large (200+ lines, > 20 Kb per record) XML documents.

When I export the results of a search for these records to CSV, the _raw cell is truncated; the full record is not written to the _raw cell (note: not an Excel issue. The records are not larger than the 32K-1 byte Excel maximum, and editing the CSV directly shows that the record is indeed truncated).

The records are similarly truncated in a "Show Source" view.

What gives?

Thanks

-Pete

steveyz · ‎09-16-2010

When the UI typically issues a request for events, it will ask the backend to truncate long events above a certain number of lines. My guess is that this limit is in force even for show search and export as csv from the UI, because they share a common access point. To get around this issue, you can append "| outputcsv <filename>" to the end of your search, and the full csv file should be written out to $SPLUNK_HOME/var/run/splunk/<filename>

View solution in original post

steveyz · ‎09-16-2010

When the UI typically issues a request for events, it will ask the backend to truncate long events above a certain number of lines. My guess is that this limit is in force even for show search and export as csv from the UI, because they share a common access point. To get around this issue, you can append "| outputcsv <filename>" to the end of your search, and the full csv file should be written out to $SPLUNK_HOME/var/run/splunk/<filename>

pde · ‎09-17-2010

Interesting. The main UI displays the full event...

The solution works, but is of little use to my users, who do not get shell access to the server. I suppose an enhancement is in order.

Show Source and save as CSV truncate large events?

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms