Splunk Search

Why am I getting an incorrect count searching a summary index using the Splunk REST API?

kartik13
Communicator

I am using the Splunk REST API. While making a request to Splunk, I receive the response, but with wrong numbers. My search is for summary indexing and the number of events in the summary index is less than about 2500 records. However, the count of an event field is coming in differently while using the API.

I have tried increasing the status bucket size and also the tried with bin option. I am using the exec_mode = oneshot. Not able to figure out what is wrong

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Ok, thanks for the details. I'm not sure of all of the details of your situation, but have you ensured that there are no gaps in the summary index search?

There might be something that needs adjusting in the scheduling or other setup of your summary index that could affect event counts in the index. I'm not sure if you are seeing fewer events in the summary index or in the event field count with the API.

See these topics in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Usesummaryindexing#Schedule_the_populati...

http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Managesummaryindexgapsandoverlaps

It might also help if you can post your query to make sure that it is configured properly for the results you expect.

This is just a suggestion to start troubleshooting. You can also contact Support to get more specific guidance.

Hope this helps!

kartik13
Communicator

Hi @frobinson ,

yes you were right it has to do with the gaps in the summary indexing, When i searched on the daily basis , it gave me a correct result,But during monthly search, results were different . Looking forward to it , I will update the answer as soon as i get the solution. Meanwhile if you can suggest any thing that will be great .

Thanks & Cheers!!!

frobinson_splun
Splunk Employee
Splunk Employee

I'm glad that we've identified the problem! I can't be sure why your monthly search results are different. Did you get the chance to run through the troubleshooting guidance in the documentation links above? There might be an issue with the monthly search scheduling or timing, for example, that causes events to be missed.

As part of checking the timing for the scheduled search, you might also want to check the time zone settings for the scheduled search, just to be sure the settings match what you expect.

Please feel free to post more details!

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @kartik13,
What REST endpoint are you using, specifically?

0 Karma

kartik13
Communicator

I am using /services/search/jobs this end point with exec_mode=oneshot, so it blocking in nature and gives back the result in the same call.Also I have tried with exec_mode=blocking with increased bucket size and count . But the result is same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...