Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why am I getting an incorrect count searching a summary index using the Splunk REST API?

kartik13
Communicator
‎11-21-2015 05:15 AM

I am using the Splunk REST API. While making a request to Splunk, I receive the response, but with wrong numbers. My search is for summary indexing and the number of events in the summary index is less than about 2500 records. However, the count of an event field is coming in differently while using the API.

I have tried increasing the status bucket size and also the tried with bin option. I am using the exec_mode = oneshot. Not able to figure out what is wrong

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-24-2015 10:58 AM

Ok, thanks for the details. I'm not sure of all of the details of your situation, but have you ensured that there are no gaps in the summary index search?

There might be something that needs adjusting in the scheduling or other setup of your summary index that could affect event counts in the index. I'm not sure if you are seeing fewer events in the summary index or in the event field count with the API.

See these topics in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Usesummaryindexing#Schedule_the_populati...

http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Managesummaryindexgapsandoverlaps

It might also help if you can post your query to make sure that it is configured properly for the results you expect.

This is just a suggestion to start troubleshooting. You can also contact Support to get more specific guidance.

Hope this helps!

Reply

kartik13
Communicator
‎11-25-2015 08:10 PM

Hi @frobinson ,

yes you were right it has to do with the gaps in the summary indexing, When i searched on the daily basis , it gave me a correct result,But during monthly search, results were different . Looking forward to it , I will update the answer as soon as i get the solution. Meanwhile if you can suggest any thing that will be great .

Thanks & Cheers!!!

Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-30-2015 10:04 AM

I'm glad that we've identified the problem! I can't be sure why your monthly search results are different. Did you get the chance to run through the troubleshooting guidance in the documentation links above? There might be an issue with the monthly search scheduling or timing, for example, that causes events to be missed.

As part of checking the timing for the scheduled search, you might also want to check the time zone settings for the scheduled search, just to be sure the settings match what you expect.

Please feel free to post more details!

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-23-2015 02:32 PM

Hi @kartik13,
What REST endpoint are you using, specifically?

0 Karma
Reply

kartik13
Communicator
‎11-23-2015 08:21 PM

I am using /services/search/jobs this end point with exec_mode=oneshot, so it blocking in nature and gives back the result in the same call.Also I have tried with exec_mode=blocking with increased bucket size and count . But the result is same.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...