oneshotSearch() is only returning 100 logs
sapols opened this issue · 4 comments
- Project version: v1.12.0
- Platform version: MacOS 11.6
- Browser: Safari Version 15.0 (16612.1.29.41.4, 16612)
- Splunk Enterprise version: 9.0.1
- Other relevant information: I'm using this Splunk Javascript SDK in a javascript app I'm running locally on my machine, simply by opening the app's index.html file in a browser, and the SDK is hitting our production Splunk instance.
My problem is that I'm using the SDK to perform a oneshotSearch() to get logs, but it will only give me the first 100 logs. I cannot figure out where this limit is coming from nor how to increase it. I can't find any relevant info online either. The closest I've found is this community forum answer:
https://community.splunk.com/t5/Splunk-Search/100-result-limit-in-JS-SDK/m-p/96181
Wherein they talk about a default limit of 100 when getting results from a search job. But I'm doing oneshotSearch, not generating search jobs, and they don't mention anything about oneshotSearch. I tried supplying my function call with new values for status_buckets and max_count like they recommend but that didn't do anything.
Is this 100-result limit on oneshotSearch intentional? Is it possible to override the limit? If so, is how to do it documented somewhere I couldn't find? Please help. Thanks.
Hi @sapols Sorry for the delay in response.
The SDK just exposes the underlying platform Search API for oneshortSearch(). Per our team, the /oneshot endpoint is inherently more tightly constrained than any normal search because it has to provide a synchronous HTTP response.
If you need to change limits, the recommendation is to avoid using the oneshortSearch().
Can you provide more details of the use case you are trying to achieve? Are you able to use a search job to do this instead?
Let us know if you are still facing issues with the SDK?
@sapols Checking if you still need help with this issue? Also, here is a document with more information on the one-shot Search API. Can you try setting the count parameter as described in the docs?
https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtorunsearchespython/#To-create-a-basic-one-shot-search-and-display-results
Hello,
That count parameter was exactly what I needed. Thank you very much. That docs page is perfect too; I wouldn't have had to open this GitHub issue if I'd found that page earlier. Is it new or did I just miss it?
This doc has been around for a while. Glad this was helpful and your issue is resolved!