I am currently using Splunk SDKs to export data out of Splunk with the following:
SPLUNK QUERY: search index=***** sourcetype=*** host={host} earliest={earliest} latest={latest}
I have a python script that calls:
splunk_service.jobs.create(search_query) and output and store the data on a day by day basis.
The script works fine, however I notice that all the files are of the same size, i.e. 60kb and all the files have {"text":"Your timerange was substituted based on your search string"} at the beginning.
I am trying to figure out if the data is being limited and my goal is the get all the data for the time period.
I tried appending count=0 to the SPLUNK query, however I end up getting zero results when I do so.
I tried running :
SPLUNK QUERY: search index=***** sourcetype=*** host={host} earliest={earliest} latest={latest} count=0 offset=0
and was expecting all results, however ended up getting 0 results. I was at least getting limited results without the count=0 offset=0 parameters.