Developing for Splunk Enterprise

Why using earliest_time and latest_time in oneshot search through REST API doesn't return all expected results?

Path Finder

I am running a search from a python script, following the example for onetime searches.
I have

searchquery_oneshot = ' search source=xxxx | table _time event screen '
kwargs_oneshot = {'latest_time': '-1h@h', 'output_mode': 'csv', 'earliest_time': '2014-01-01T00:00:00.000'}

It should have returned hundreds of records (when I run the same search and choose the same earliest and latest) ; However, it returned only 82 records for a recent 30 min or so timespan. It didn't even include ALL the records for that 30 mins.

Any suggestions please? I always need to have a fixed earliest time (its value gets calculated every night we run the script)

1 Solution

Path Finder

The problem was actually that Splunk has a limit on number of records it returns in the result set. I am using oneshot search and there doesn't seem to be a param for setting it to a high number.

View solution in original post

Explorer

Try setting this in the jobargs before you submit your job:

oneshotSearchArgs.add("count", 0);
0 Karma

Path Finder

The problem was actually that Splunk has a limit on number of records it returns in the result set. I am using oneshot search and there doesn't seem to be a param for setting it to a high number.

View solution in original post