Splunk Search

Why does my SPLUNK RETS API return 0 eventCount?

PepposChris
Observer

Hello,

 

I've been using SPLUNK search REST API for a while now and just today i've run into the following issue.

 

When calling the services/search/jobs/{search_id} API i get back the proper results with dispatchState: DONE and eventCount: 0 but I know for sure that there are results because I also tried running the same query from the Splunk UI and I do get results back.

 

Has anything changed since yesterday (since it was working), I don't think its user related because I tried with several users and got the same results.

Labels (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@PepposChris 

Can you please share your sample code ?

KV

Tags (1)
0 Karma

PepposChris
Observer

I don't thinl there's need to see any more since I haven't changed anything. Whatever I has yesterday i have today as well.

yml configuration ->

splunk:

   url: https://splunk-api-b.{host}.com:8089

   sid-endpoint: /services/search/jobs

   splunk-response-endpoint: /services/search/jobs/{sid}

@RequestMapping(value = "${feign.splunk.sid-endpoint}", produces = { "*/*" }, consumes = { "application/x-www-form-urlencoded" }, method = RequestMethod.POST) ResponseEntity splunkGetSid(@RequestBody MultiValueMap<String, String> getSplunkSidRequest, @RequestParam String output_mode, @RequestHeader(value="Authorization", required=true) String authorization);

@RequestMapping(value = "${feign.splunk.splunk-response-endpoint}", produces = { "application/json" }, consumes = { "application/json" }, method = RequestMethod.GET) ResponseEntity splunkGetResponse(@RequestParam(value = "output_mode") String output_mode, @PathVariable String sid, @RequestHeader(value="Authorization", required=true) String authorization);

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

@PepposChris , I think @kamlesh_vaghela is asking about your search code submitted via API, not API job query.  What have you submitted?  And why do you expect eventCount to be greater than 0?

0 Karma

PepposChris
Observer

Oh i'm sorry and thanks for the clarification.

This is the query im passing ->

search index=**** sourcetype=****_*** cf_org_name=*******_******_*** NOT cf_app_name = ******* (cf_space_name=PCFQAT01 OR cf_space_name=PCFQAT02 OR cf_space_name=PCFQAT03) java.lang.NullPointerException earliest=-24h

 

I've been using this exact same query for almost 2 weeks now and I haven't had any issues. But just yesterday i started getting eventCount=0. Because this seemed weird I tried 3-4 other queries where all of them would return eventCount=0.

 

I am not expecting eventCount=0 because I am also using the Splunk>Enterprise UI web app, and when I tried searching with the same queries I was getting results.

 

Also my disk usage is -> 

"diskUsage"671744

Could this have anything to do with my issue?
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...