Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fetching data from Splunk Cloud every 5 min over the API

Jonas951
Loves-to-Learn Lots
‎07-28-2020 08:26 AM

Hi

According to

https://docs.splunk.com/Documentation/SplunkCloud/latest/Service/SplunkCloudservice

Data extracted as a result of search query, whether from the UI or REST API is limited to 5% of daily ingest for optimal performance.

 

And

Scheduled search is not supported from a hybrid search head.

 

Let's say I want to fetch over the API (not from a hybrid search head, instead of from a third-party system) 5 min worth of data and I schedule that search to run every minute.

I cannot see that that kind of set up would violate the agreement, but I want to make sure.

- 5 min worth of data every min will never equal 5% of daily ingest...

Anyone who has done a similar setup successfully?

Many Thanks

Jonas

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2020 11:57 AM
By my reckoning, pulling 5 minutes of data every minute equals 600% of daily ingest.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Jonas951
Loves-to-Learn Lots
‎07-28-2020 01:23 PM

Hi, you are indeed right, 600% as a total.

That is what I cannot get my head around since it says "Data extracted as a result of search query"

My take on that is that every individual search query is not allowed to bring back a dataset larger than 5% of daily ingest.

Splitting hairs, I know 🙂

PS, otherwise it should be "Data extracted as a result of total search queries per day are not allowed to bring back a dataset larger than 5% of daily ingest."

Are you with me?

Small different in language, but a huge difference in terms of what I can do with my data in Splunk Cloud

 

Many thanks for answering my post 🙂

 

Best

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2020 05:35 AM
I suppose it comes down to how many results your searches find. I search over 5 minutes every minute that ends up with a single results could be fine. You probably should contact Splunk for a definitive answer.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...