Hello there,
I'm still newer to Splunk (and python which doesn't help). I used the code from the search and poll results code on the sdk page. I can't seem to figure out how to get more than 100 results. Here's the code
#set login settings above
kwargs_normalsearch = {"exec_mode": "normal", "max_count" : "20000"}
searchquery_normal = "search *"
job = service.jobs.create(searchquery_normal, **kwargs_normalsearch)
# A normal search returns the job's SID right away, so we need to poll for completion
while True:
job.refresh()
stats = {"isDone": job["isDone"],
#"doneProgress": float(job["doneProgress"])*100,
#"scanCount": int(job["scanCount"]),
"eventCount": int(job["eventCount"]),
"resultCount": int(job["resultCount"])}
#status = ("\r%(doneProgress)03.1f%% %(scanCount)d scanned "
status =("\r%(eventCount)d matched %(resultCount)d results") % stats
sys.stdout.write(status)
sys.stdout.flush()
if stats["isDone"] == "1":
sys.stdout.write("\n\nDone!\n\n")
break
sleep(2)
# Get properties of the job
print "Search job properties"
print "Search job ID: ", job["sid"]
print "The number of events: ", job["eventCount"]
print "The number of results:", job["resultCount"]
print "Search duration: ", job["runDuration"], "seconds"
print "This job expires in: ", job["ttl"], "seconds"
print "------------------------------------------\n"
print "Search results:\n"
num_results=0
# Get the results and display them
newFile = open("splunkResults.txt", 'w')
x = 0
for result in results.ResultsReader(job.results()):
x += 1
print x
x always ends up being 100. (see bottom of code). I'm assuming i'm just over looking something but i can't figure out for the life of me what it is.
forgot to give you the output of the script
OUTPUT:
5000 matched 5000 results
Done!
Search job properties
Search job ID: 1376943997.140464
The number of events: 5000
The number of results: 5000
Search duration: 127.888000 seconds
This job expires in: 150000 seconds
Search results:
100
... View more