Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a delay in the Splunk API server 'seeing' events?

sonamchauhan
Engager
‎02-09-2023 07:26 PM

Is there a delay in the Splunk API server 'seeing' events that are already indexed?

I use the Splunk API to query logs for some testcases. I can submit a job to the API server (`POST https://<SERVER>:8089/services/search/jobs`). That works fine. But intermittently, the search job returns no results (GET https://<SERVER>:8089/services/search/jobs/<JOB_ID>/results returns a 204/No Content HTTP header, and no HTTP body) 

I checked if there was an indexing delay using the command below. Apparently there was not - the relevant logs were ingested and indexed well in time. It's just the Splunk API server that intermittently returns no results. 

 

 

<SPLUNK QUERY> | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")

 

 

 
Any pointers to how I can dig into this further? I'm just a dev, not a Splunk admin, so guidelines on what I do next are much appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sonamchauhan
Engager
‎02-09-2023 08:22 PM

OK, I may have solved my own problem (caused by lack of knowledge of how Splunk API jobs work). 

Basically, I had too short a delay between creating the job (POST job) and (GET results). I've increased it from 3 to 10 seconds and it seems to be behaving better

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sonamchauhan
Engager
‎02-09-2023 08:22 PM

OK, I may have solved my own problem (caused by lack of knowledge of how Splunk API jobs work). 

Basically, I had too short a delay between creating the job (POST job) and (GET results). I've increased it from 3 to 10 seconds and it seems to be behaving better

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...