topic Re: search results different between splunk UI/portal and splunk API in Splunk Search

search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Sat, 31 May 2025 18:31:10 GMT

Hi,
I have this very simple splunk search query and i was able to run in splunk search portal or UI and I am using the same search query API (using the same query but in the form of encoded URL) - what is the issue?
I am getting total number of events as 164 in splunk portal but when i run the same query which is transted into encoded URL through python script i am getting 157 records/rows only...

since this search is only for yesterday iam using earliest=-1d@d latest=-0d@d

index=App001_logs
sourcetype="App001_logs_st"
earliest=-1d@d latest=-0d@d
organization IN ("InternalApps","ExternalApps")
AppclientId="ABC123"
status_code=200
environment="UAT"
| table _time, AppclientId,organization,environment,proxyBasePath,api_name

the same exact query which is translated in encoded URL like https:// whole search query

and when i run the python script in my desktop (my time zone is CST) i get only 157 records/rows

I think there is something going on UTC and CST -

this is what i see in splunk portal 164 events (5/30/25 12:00:00.000 AM to 5/31/25 12:00:00.000 AM)

any guidance please?

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Sat, 31 May 2025 18:36:49 GMT

when i look at the last row/record and look for _time the value it has is 2025-05-30 23:30:28.314
there is no record after this

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Sat, 31 May 2025 18:42:03 GMT

when i look at the _time which is pulled through API values look like below
_time
2025-05-30 10:28:06.234 UTC
2025-05-30 04:48:45.178 UTC
2025-05-30 16:33:09.755 UTC
2025-05-30 14:20:23.054 UTC

Re: search results different between splunk UI/portal and splunk API

PickleRick — Sun, 01 Jun 2025 05:02:48 GMT

If you suspect there's some time range discrepancy between those two searches, check their job logs. After the search is expanded as it's being dispatched to be executed, if I remember correctly it should have the earliest and latest as epoch-based timestamps. Check if they differ.

I assume you're spawning the searches from the same user, aren't you?

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Sun, 01 Jun 2025 14:55:21 GMT

Hi Rick, same user. i did use the earliest and latest in the search query itself as filters. API is using the services/export

Re: search results different between splunk UI/portal and splunk API

PrewinThomas — Mon, 02 Jun 2025 04:10:39 GMT

@Raj_Splunk_Ing

This is generally because API call normally defaults to UTC. So specify time zone in API call.

If you are using Splunk python SDK, then try "tz": "America/Chicago" as search parameter.

By adding the tz parameter with your local time zone ("America/Chicago" for CST), you instruct Splunk to interpret earliest=-1d@d and latest=-0d@d relative to that timezone, making the API search behave identically to your UI search in terms of the time window. This should resolve the discrepancy in event counts

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Mon, 02 Jun 2025 14:50:32 GMT

Hi, any guidance on this..

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Mon, 02 Jun 2025 15:48:18 GMT

Hi, Thanks for your input
where do i add this... in my search query

this is how my URL looks like

https://server/services/search/jobs/export?search=search%20index%3Dcfs_apiconnect_102212%20%20%20%0Asourcetype%3D%22cfs_apigee_102212_st%22%20%20%0Aearliest%3D-1d%40d%20latest%3D%40d%20%0Aorganization%20IN%20(%22ccb-na%22%2C%22ccb-na-ext%22)%20%0AclientId%3D%22AMZ%22%20%0Astatus_code%3D200%0Aenvironment%3D%22XYZ-uat03%22%0A%7C%20table%20%20_time%2CclientId%2Corganization%2Cenvironment%2CproxyBasePath%2Capi_name&&output_mode=csv

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Mon, 02 Jun 2025 16:01:35 GMT

I noticed that i dont have splunk python SDK because in my python script i dont have import splunklib or import splunk.. i am using python script within the alteryx tool

Re: search results different between splunk UI/portal and splunk API

PrewinThomas — Tue, 03 Jun 2025 04:50:42 GMT

@Raj_Splunk_Ing
Modify Your Python Script in Alteryx:
You need to find the part of your Python script where you build the URL or the parameters for the HTTP request to Splunk. You will then add a tz parameter to that request, setting its value to the time zone string you found in your splunk ui timezone.

Eg:
params = {
'search': spl_query,
'output_mode': 'csv',
'tz': splunk_ui_timezone
}

url adding tz parameter
https://server/services/search/jobs/export?search=search%20index%3Dcfs_apiconnect_102212%20%20%20%0Asourcetype%3D%22cfs_apigee_102212_st%22%20%20%0Aearliest%3D-1d%40d%20latest%3D%40d%20%0Aorganization%20IN%20(%22ccb-na%22%2C%22ccb-na-ext%22)%20%0AclientId%3D%22AMZ%22%20%0Astatus_code%3D200%0Aenvironment%3D%22XYZ-uat03%22%0A%7C%20table%20%20_time%2CclientId%2Corganization%2Cenvironment%2CproxyBasePath%2Capi_name&tz=America%2FChicago&output_mode=csv

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

Re: search results different between splunk UI/portal and splunk API

Raj_Splunk_Ing — Tue, 03 Jun 2025 17:34:16 GMT

Hi tried to follow by adding this to the url at the end

%20tz=America%2FNew_York&output_mode=csv"

and in the headers

headers = {
'Authorization': 'Basic AuthKey','Content-Type':'text/csv','tz':'(GMT-04:00) Eastern Time (US & Canada)'
}
this is not returning anything