splunk doesnt return all the results using rest ap...

ikenahim · ‎04-11-2019

I'm retrieving data from Splunk using rest API via production port 8980, on the GUI I can see 770 events when I retrieve data I got less then a 100.

here is my code in Java to retrieve data:

```
public JSONObject Post_request() throws IOException, ParseException {
String Query = "search " + OS_Vuln_Query;
Job job = session.make_Request().getJobs().create(Query);
while (!job.isDone()) {
try {
Thread.sleep(1000);
} catch (InterruptedException e) {
e.printStackTrace();
}
}
JobResultsArgs resultsArgs = new JobResultsArgs();
resultsArgs.setOutputMode(JobResultsArgs.OutputMode.JSON);
InputStream results = job.getResults(resultsArgs);

    BufferedReader br = new BufferedReader(new InputStreamReader(results));
    StringBuilder sb = new StringBuilder();
    String line;
    while ((line = br.readLine()) != null)
    {
        sb.append(line);
    }
    JSONParser parser = new JSONParser();
    JSONObject json = (JSONObject) parser.parse(sb.toString());
    String vulns_as_string = json.get("results").toString();
    JSONArray vulns_to_json = (JSONArray) parser.parse(vulns_as_string);
    if (vulns_to_json.size()>0)
    {
        System.out.print("Splunk return results");
        for (int v = 0; v < vulns_to_json.size(); v++)
        {
            String vuln_as_string = vulns_to_json.get(v).toString();
            Vulnerability vulnerability = new Gson().fromJson(vuln_as_string, Vulnerability.class);
            data_Parsed = true;
            vulnerability.ports_to_List();
            list_of_OS_Vulnerability.add(vulnerability);
        }
        return json;
    }
    System.out.print("Splunk return empty results");
    return  null;
}

```

sduff_splunk · ‎04-11-2019

Hi,

You need to use the resultArgs.setCount(0) function to return all results

JobResultsArgs resultsArgs = new JobResultsArgs();
resultsArgs.setOutputMode(JobResultsArgs.OutputMode.JSON);
resultsArgs.setCount(0); // set this to 0 to return all results
InputStream results = job.getResults(resultsArgs);

https://docs.splunk.com/DocumentationStatic/JavaSDK/1.0/com/splunk/JobResultsArgs.html#setCount(int)

splunk doesnt return all the results using rest api

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation