Returning All Records When Querying the Splunk REST API

In my current environment the Windows 2012 R2 server builds are completely automated via PowerShell 4 DSC. This includes the installation of IIS Web Sites and Web Applications. We use Splunk to monitor all the IIS Logs and the .Net Web Application logs, and if you don’t have the Splunk configs automated, managing them can be a bear. Fortunately you can use PowerShell to manage Splunk via the Splunk REST API. This has been working well for us, but recently I came across an issue where the REST API on some of my servers wouldn’t return all of the monitors. These queries were working fine on most of my servers, but some would not return all of the results via the REST API, even though the Splunk command line did return all the monitors.

I found out from Splunk support that when querying the REST API for installed monitors that the results are limited to 30. To get all the results add “count=-1” as a query string to the URI for the endpoint you are calling. This isn’t documented anywhere that I could find. Here’s how it looks in PowerShell when querying the local host using the default username and password.

Leave a Reply

Your email address will not be published. Required fields are marked *