Hello,
I've been using SPLUNK search REST API for a while now and just today i've run into the following issue.
When calling the services/search/jobs/{search_id} API i get back the proper results with dispatchState: DONE and eventCount: 0 but I know for sure that there are results because I also tried running the same query from the Splunk UI and I do get results back.
Has anything changed since yesterday (since it was working), I don't think its user related because I tried with several users and got the same results.
I don't thinl there's need to see any more since I haven't changed anything. Whatever I has yesterday i have today as well.
yml configuration ->
splunk:
url: https://splunk-api-b.{host}.com:8089
sid-endpoint: /services/search/jobs
splunk-response-endpoint: /services/search/jobs/{sid}
@RequestMapping(value = "${feign.splunk.sid-endpoint}", produces = { "*/*" }, consumes = { "application/x-www-form-urlencoded" }, method = RequestMethod.POST) ResponseEntity splunkGetSid(@RequestBody MultiValueMap<String, String> getSplunkSidRequest, @RequestParam String output_mode, @RequestHeader(value="Authorization", required=true) String authorization);
@RequestMapping(value = "${feign.splunk.splunk-response-endpoint}", produces = { "application/json" }, consumes = { "application/json" }, method = RequestMethod.GET) ResponseEntity splunkGetResponse(@RequestParam(value = "output_mode") String output_mode, @PathVariable String sid, @RequestHeader(value="Authorization", required=true) String authorization);
@PepposChris , I think @kamlesh_vaghela is asking about your search code submitted via API, not API job query. What have you submitted? And why do you expect eventCount to be greater than 0?
Oh i'm sorry and thanks for the clarification.
This is the query im passing ->
search index=**** sourcetype=****_*** cf_org_name=*******_******_*** NOT cf_app_name = ******* (cf_space_name=PCFQAT01 OR cf_space_name=PCFQAT02 OR cf_space_name=PCFQAT03) java.lang.NullPointerException earliest=-24h
I've been using this exact same query for almost 2 weeks now and I haven't had any issues. But just yesterday i started getting eventCount=0. Because this seemed weird I tried 3-4 other queries where all of them would return eventCount=0.
I am not expecting eventCount=0 because I am also using the Splunk>Enterprise UI web app, and when I tried searching with the same queries I was getting results.
Also my disk usage is ->