https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511506#M124 I suppose it comes down to how many results your searches find. I search over 5 minutes every minute that ends up with a single results could be fine. You probably should contact Splunk for a definitive answer. Wed, 29 Jul 2020 12:35:47 GMT richgalloway 2020-07-29T12:35:47Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511374#M121 <P>Hi</P><P>According to</P><P><A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Service/SplunkCloudservice" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/Service/SplunkCloudservice</A></P><TABLE><TBODY><TR><TD>Data extracted as a result of search query, whether from the UI or REST API is limited to 5% of daily ingest for optimal performance.</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>And</P><P><SPAN>Scheduled search is not supported from a hybrid search head.</SPAN></P><P>&nbsp;</P><P><SPAN>Let's say I want to fetch over the API (not from a hybrid search head, instead of from a third-party system) 5 min worth of data and I schedule that search to run every minute.</SPAN></P><P><SPAN>I cannot see that that kind of set up would violate the agreement, but I want to make sure.</SPAN></P><P><SPAN>- 5 min worth of data every min will never equal&nbsp;5% of daily ingest...</SPAN></P><P><SPAN>Anyone who has done a similar setup successfully?</SPAN></P><P><SPAN>Many Thanks</SPAN></P><P><SPAN>Jonas</SPAN></P> Tue, 28 Jul 2020 15:26:41 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511374#M121 Jonas951 2020-07-28T15:26:41Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511399#M122 By my reckoning, pulling 5 minutes of data every minute equals 600% of daily ingest. Tue, 28 Jul 2020 18:57:07 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511399#M122 richgalloway 2020-07-28T18:57:07Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511415#M123 <P>Hi, you are indeed right, 600% as a total.</P><P>That is what I cannot get my head around since it says "<SPAN>Data extracted as a result of search query"</SPAN></P><P><SPAN>My take on that is that every individual search query is not allowed to bring back a dataset larger than 5% of daily ingest.</SPAN></P><P><SPAN>Splitting hairs, I know <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P><SPAN>PS, otherwise it should be "Data extracted as a result of total search queries per day are not allowed to bring back a dataset larger than 5% of daily ingest."</SPAN></P><P><SPAN>Are you with me?</SPAN></P><P><SPAN>Small different in language, but a huge difference in terms of what I can do with my data in Splunk Cloud</SPAN></P><P>&nbsp;</P><P><SPAN>Many thanks for answering my post <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>&nbsp;</P><P><SPAN>Best</SPAN></P><P>&nbsp;</P> Tue, 28 Jul 2020 20:23:40 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511415#M123 Jonas951 2020-07-28T20:23:40Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511506#M124 I suppose it comes down to how many results your searches find. I search over 5 minutes every minute that ends up with a single results could be fine. You probably should contact Splunk for a definitive answer. Wed, 29 Jul 2020 12:35:47 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Fetching-data-from-Splunk-Cloud-every-5-min-over-the-API/m-p/511506#M124 richgalloway 2020-07-29T12:35:47Z