I don't thinl there's need to see any more since I haven't changed anything. Whatever I has yesterday i have today as well.

yml configuration ->

splunk:

   url: https://splunk-api-b.{host}.com:8089

   sid-endpoint: /services/search/jobs

   splunk-response-endpoint: /services/search/jobs/{sid}

@RequestMapping(value = "${feign.splunk.sid-endpoint}", produces = { "*/*" }, consumes = { "application/x-www-form-urlencoded" }, method = RequestMethod.POST) ResponseEntity splunkGetSid(@RequestBody MultiValueMap<String, String> getSplunkSidRequest, @RequestParam String output_mode, @RequestHeader(value="Authorization", required=true) String authorization);

@RequestMapping(value = "${feign.splunk.splunk-response-endpoint}", produces = { "application/json" }, consumes = { "application/json" }, method = RequestMethod.GET) ResponseEntity splunkGetResponse(@RequestParam(value = "output_mode") String output_mode, @PathVariable String sid, @RequestHeader(value="Authorization", required=true) String authorization);

@PepposChris , I think @kamlesh_vaghela is asking about your search code submitted via API, not API job query.  What have you submitted?  And why do you expect eventCount to be greater than 0?

Oh i'm sorry and thanks for the clarification.

This is the query im passing ->

search index=**** sourcetype=****_*** cf_org_name=*******_******_*** NOT cf_app_name = ******* (cf_space_name=PCFQAT01 OR cf_space_name=PCFQAT02 OR cf_space_name=PCFQAT03) java.lang.NullPointerException earliest=-24h

I've been using this exact same query for almost 2 weeks now and I haven't had any issues. But just yesterday i started getting eventCount=0. Because this seemed weird I tried 3-4 other queries where all of them would return eventCount=0.

I am not expecting eventCount=0 because I am also using the Splunk>Enterprise UI web app, and when I tried searching with the same queries I was getting results.

Also my disk usage is ->