Hello,
I'm writing a custom Splunk search command that runs a query on another Splunk host, then returns those results. Unfortunately, no matter what inputs I use in the search or arguments I change for the job creation the search only returns 100 results, but the job object returned by the Python SDK correctly identifies the ~30k results it should have in `job['resultCount']`.
Is there something I am missing in this process to get the SDK to give me all of the results? Please note that the command is called "ril", and it does not modify the results from the job at all, it only returns them. I will include as much information as I can below as to how the command is integrated into the app.
Thank you in advance.
__ril.py__ (edited for brevity)
service = client.connect(host=HOST, port=PORT, username=USERNAME, password=PASSWORD)
query = QUERY
kwargs = {"exec_mode": "normal", "count" : 0}
job = service.jobs.create(query, **kwargs)
# Poll for completion
while True:
while not job.is_ready():
pass
if job["isDone"] == "1":
break
sleep(0.5)
# Touch each result, make a dict of them to be passed to Intersplunk.outputResults()
newresults = []
for result in results.ResultsReader(job.results()):
newresults.append(result)
# Output results to Splunk
Intersplunk.outputResults(newresults)
__commands.conf__
[ril]
filename = ril.py
generating = true
local=true
__default.meta__
[]
access = read : [ * ], write : [ admin, power ]
↧