Why is notable Macro not returning results in real...

ismailawan · ‎01-26-2023

We use the splunk search endpoint to get notable events using the search endpoint
services/search/jobs

search=search `notable`
earliest_time=(currentTime - 2min)
latest_time=(currentTime)
adhoc_search_level=smart

When search is completed
services/search/jobs/<sid>
dispatchState = DONE

We get results
services/search/jobs/<sid>/results

We don't get all the results.

But when we make the same search with same time ranges around 10 to 15 mins later, we get the results which we missed in the realtime search.

Why do we get the issue and how do we resolve the issue ?

richgalloway · ‎01-26-2023

It's possible the data takes more than 2 minutes to be indexed. Try changing earliest_time to -4 minutes

---
If this reply helps you, Karma would be appreciated.

Why is notable Macro not returning results in realtime searches via search API?

notable event

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?