Splunk SDK search with aggregates returns zeros fo...

cwilen · ‎04-15-2013

I'm trying to export data from Splunk using the Java SDK. The search I'm using includes aggregate functions avg, min and max. The search works fine in Splunk Search web app but when exporting via SDK the aggregate values return zeros. A count value does return data as well as the time field. I've exported the values as JSON, XML and CSV and all return values in the raw output stream. Is this an issue with the aggregates values being decimals? Are they handled differently?

Neeraj_Luthra · ‎05-01-2013

The search query string, when used from Java SDK needs to have special characters like backslash (\) properly escaped. After working more with @cwilen we learnt that lack of escaping these characters was causing this problem.

Lesson learned: The search query string that works in Splunk UI may not work as-is from the SDK if it has special characters that need escaping.

Neeraj_Luthra · ‎04-17-2013

I believe we are helping you through the support case. We will update this post once we are able to resolve your issue with the findings from that case.

Splunk SDK search with aggregates returns zeros for aggregate values.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation