I am using the Splunk REST API. While making a request to Splunk, I receive the response, but with wrong numbers. My search is for summary indexing and the number of events in the summary index is less than about 2500 records. However, the count of an event field is coming in differently while using the API.
I have tried increasing the status bucket size and also the tried with bin option. I am using the
exec_mode = oneshot. Not able to figure out what is wrong
Ok, thanks for the details. I'm not sure of all of the details of your situation, but have you ensured that there are no gaps in the summary index search?
There might be something that needs adjusting in the scheduling or other setup of your summary index that could affect event counts in the index. I'm not sure if you are seeing fewer events in the summary index or in the event field count with the API.
See these topics in our documentation:
It might also help if you can post your query to make sure that it is configured properly for the results you expect.
This is just a suggestion to start troubleshooting. You can also contact Support to get more specific guidance.
Hope this helps!
Hi @frobinson ,
yes you were right it has to do with the gaps in the summary indexing, When i searched on the daily basis , it gave me a correct result,But during monthly search, results were different . Looking forward to it , I will update the answer as soon as i get the solution. Meanwhile if you can suggest any thing that will be great .
Thanks & Cheers!!!
I'm glad that we've identified the problem! I can't be sure why your monthly search results are different. Did you get the chance to run through the troubleshooting guidance in the documentation links above? There might be an issue with the monthly search scheduling or timing, for example, that causes events to be missed.
As part of checking the timing for the scheduled search, you might also want to check the time zone settings for the scheduled search, just to be sure the settings match what you expect.
Please feel free to post more details!
What REST endpoint are you using, specifically?
I am using
/services/search/jobs this end point with
exec_mode=oneshot, so it blocking in nature and gives back the result in the same call.Also I have tried with
exec_mode=blocking with increased bucket size and count . But the result is same.