The following custom search command displays only 1000 events in Splunk; while should return 100,000; the rest of the events seems to be accounted for, but are not displayed; Splunk 6.x and 7.x:
import splunk.clilib.cli_common as spcli
import splunk.Intersplunk
import sys
import time
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
def main(args):
results = []
row = {}
for i in range(0,100000):
record = {}
record['_time'] = time.time()
record['_raw'] = "{" + str(i) + "}"
results.append(record)
splunk.Intersplunk.outputStreamResults(results)
exit()
main(sys.argv)
commands.conf:
[test]
filename = test.py
local = true
overrides_timeorder = true
streaming = true
supports_multivalues = true
generating = stream
![alt text][1]
[1]: /storage/temp/255894-a.png
↧