Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a delay in the Splunk API server 'seeing' events?

sonamchauhan
Engager
‎02-09-2023 07:26 PM

Is there a delay in the Splunk API server 'seeing' events that are already indexed?

I use the Splunk API to query logs for some testcases. I can submit a job to the API server (`POST https://<SERVER>:8089/services/search/jobs`). That works fine. But intermittently, the search job returns no results (GET https://<SERVER>:8089/services/search/jobs/<JOB_ID>/results returns a 204/No Content HTTP header, and no HTTP body) 

I checked if there was an indexing delay using the command below. Apparently there was not - the relevant logs were ingested and indexed well in time. It's just the Splunk API server that intermittently returns no results. 

 

 

<SPLUNK QUERY> | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")

 

 

 
Any pointers to how I can dig into this further? I'm just a dev, not a Splunk admin, so guidelines on what I do next are much appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sonamchauhan
Engager
‎02-09-2023 08:22 PM

OK, I may have solved my own problem (caused by lack of knowledge of how Splunk API jobs work). 

Basically, I had too short a delay between creating the job (POST job) and (GET results). I've increased it from 3 to 10 seconds and it seems to be behaving better

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sonamchauhan
Engager
‎02-09-2023 08:22 PM

OK, I may have solved my own problem (caused by lack of knowledge of how Splunk API jobs work). 

Basically, I had too short a delay between creating the job (POST job) and (GET results). I've increased it from 3 to 10 seconds and it seems to be behaving better

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...