https://community.splunk.com/t5/Splunk-Dev/Problem-with-Java-SDK-Splunk-query-with-more-events-returned/m-p/304964#M3983 <P>This is sent to devinfo also :</P> <P>We are using the Splunk javasdk to query out of a splunk <BR /> alarms index to put alarm into and oracle table and to our <BR /> alarm system. It runs every minute. </P> <P>The query is working 99% of the time, but we have some <BR /> unusual minutes where the count of alarm events is usually <BR /> high, as much as 5000 events, never close to the SDK limit of 50,000 . </P> <P>When this happend the query fails, and gives a BOGUS<BR /> error message. </P> <P>2018-01-11T23:58:00.046Z, level=ERROR, host=njgpdwi02, ssys=ETL, tid=214, cat=npac.splunk_etl.ETL_common, gid=null, text="ETL_splunk_TX: Exception while processing splunk ETL: (Connection refused (Connection refused))." bldi=default-value-from-handler</P> <P>We know the "Connection refused" is bogus because curl REST command still connect to the same port<BR /> AND moving the splunk query to a minute with fewer events, typically fewer than 20 and <BR /> the splunk query connects and works. </P> <P>It seem clear the large number of events in some single minutes are the issue<BR /> but we get a bogus message from the Splunk Java SDK.</P> <P>The Java SDK One shot query to splunk is set up like this;</P> <P>Args osArgs = new Args(); <BR /> osArgs.put("earliest_time", sdf.format(ts1)); // get all alarms posted since the earliest time<BR /> osArgs.put("count",fetchLimit); // set to zero to fetch all alarms (up to 50000 limit imposed by the API)<BR /> osArgs.put("output_mode","xml");<BR /> String osQuery = "search index=npac_alarm | reverse ";</P> <P>The count is set to 60, so bundles of 60 events should come. </P> <P>While the count of events that trigger the problem is relatively low at a few<BR /> thousand, some of these include java stack traces and can be quite<BR /> large both individually, and in sum.</P> <P>We are looking for guidance to clear the problem. I read that <BR /> using export queries from the SDK is preferable if there are a big number of<BR /> events. Could there be a buffer we are overflowing? Is count = 60 too low?</P> <P>Help appreciated. We are a support customer but I have not opened a ticket<BR /> my understadnig is writing to dev-info is the correct method. </P> Tue, 29 Sep 2020 17:38:42 GMT jimdiconectiv 2020-09-29T17:38:42Z https://community.splunk.com/t5/Splunk-Dev/Problem-with-Java-SDK-Splunk-query-with-more-events-returned/m-p/304964#M3983 <P>This is sent to devinfo also :</P> <P>We are using the Splunk javasdk to query out of a splunk <BR /> alarms index to put alarm into and oracle table and to our <BR /> alarm system. It runs every minute. </P> <P>The query is working 99% of the time, but we have some <BR /> unusual minutes where the count of alarm events is usually <BR /> high, as much as 5000 events, never close to the SDK limit of 50,000 . </P> <P>When this happend the query fails, and gives a BOGUS<BR /> error message. </P> <P>2018-01-11T23:58:00.046Z, level=ERROR, host=njgpdwi02, ssys=ETL, tid=214, cat=npac.splunk_etl.ETL_common, gid=null, text="ETL_splunk_TX: Exception while processing splunk ETL: (Connection refused (Connection refused))." bldi=default-value-from-handler</P> <P>We know the "Connection refused" is bogus because curl REST command still connect to the same port<BR /> AND moving the splunk query to a minute with fewer events, typically fewer than 20 and <BR /> the splunk query connects and works. </P> <P>It seem clear the large number of events in some single minutes are the issue<BR /> but we get a bogus message from the Splunk Java SDK.</P> <P>The Java SDK One shot query to splunk is set up like this;</P> <P>Args osArgs = new Args(); <BR /> osArgs.put("earliest_time", sdf.format(ts1)); // get all alarms posted since the earliest time<BR /> osArgs.put("count",fetchLimit); // set to zero to fetch all alarms (up to 50000 limit imposed by the API)<BR /> osArgs.put("output_mode","xml");<BR /> String osQuery = "search index=npac_alarm | reverse ";</P> <P>The count is set to 60, so bundles of 60 events should come. </P> <P>While the count of events that trigger the problem is relatively low at a few<BR /> thousand, some of these include java stack traces and can be quite<BR /> large both individually, and in sum.</P> <P>We are looking for guidance to clear the problem. I read that <BR /> using export queries from the SDK is preferable if there are a big number of<BR /> events. Could there be a buffer we are overflowing? Is count = 60 too low?</P> <P>Help appreciated. We are a support customer but I have not opened a ticket<BR /> my understadnig is writing to dev-info is the correct method. </P> Tue, 29 Sep 2020 17:38:42 GMT https://community.splunk.com/t5/Splunk-Dev/Problem-with-Java-SDK-Splunk-query-with-more-events-returned/m-p/304964#M3983 jimdiconectiv 2020-09-29T17:38:42Z