Splunk query returns fewer results than expected

Question

I am using this command to get top 200 results from Splunk on my_field:

q = "search index=idx host=nets* mydomain.com | top limit=200 my_field"

When I run this in Splunk, it gives me 200 results. However, when I run it using the Splunk Python SDK, I get only 100 results.

service = client.connect(host=HOST, username=USER, password=PASS)

extra_args = {"earliest_time": "-1h",
                  "latest_time": "now"}

q = "search index=idx host=nets* mydomain.com | top limit=200 my_field"
res = service.jobs.oneshot(q, **extra_args)

reader = results.ResultsReader(res)
top_jobs = []

for row in reader:
  top_jobs.append(row['my_field'])

print len(top_jobs) # always returns 100, or any number less than 100 that is specified in the query.

Is there any other way to specify the number of results?

Try suggestions posted at https://stackoverflow.com/questions/27492425/how-do-i-evade-the-limit-of-100-entries-in-python-splunk-query — Deathgrip, Jul 27 '17 at 22:38
Your Python query looks like it's only searching for the past hour. Do you know the time frame for the query run directly through Splunk? — freginold, Oct 16 '17 at 20:19
Does this answer your question? [How do I evade the limit of 100 entries in python splunk query](https://stackoverflow.com/questions/27492425/how-do-i-evade-the-limit-of-100-entries-in-python-splunk-query) — warren, Jul 26 '22 at 21:05

Splunk query returns fewer results than expected

0 Answers0