We are using a very old version of the Splunk Java API. The jar file is named splunk2.jar, and I believe it used to be maintained out on http://code.google.com. This API has worked fine through Splunk 4.2.3 build 105575. We are now trying to migrate to Splunk 5.0.1 build 143156, and the code using the old API is no longer working. In debugging our code against a Search server running Splunk 5.0.1, our code gets through the dispatchAndWait and getCookedResultsJSON method calls. However, the JsonArray object from the getCookedResultsJSON method call comes back with a size of 0.

Also, the audit.log file on the Search server running Splunk 5.0.1, we see a record for the search containing "action=search, info=granted". However, we don't see a record containing "action=search, info=completed" like we do on a Search server running Splunk 4.2.3. Instead, on the 5.0.1 server, we eventually see a record containing "action=search, info=canceled", suggesting that the search ultimately failed or was cleaned up for some reason.

The "action=search, info=granted" records look virtually identical between the 5.0.1 and 4.2.3 servers, except that "maxtime=8640000" is in the parameter list on the 5.0.1 server, and "maxtime=0" is in the list on the 4.2.3 servers. That doesn't seem to be a difference that is significant, but the code running the old API version is presumably incompatible with a 5.0.1 server in some respect.

So, is it fair to assume that the old API is incompatible with 5.0.1? Is there something simple we might try to get the old API working without needing to rework the code much? It's probably time for us to upgrade to the latest API anyway, but the new API appears to be completely different from the old API, with new method calls, etc. If we do upgrade to use the new API, is there a migration path that anyone can recommend to take some of the pain out of this, or do we just need to bite the bullet and figure out how to modify the code to use the new API? Upgrading our code to use the new API is probably the right thing to do in any case. However we'd really like to upgrade our environment to 5.0.1 ASAP, and this was an unexpected development. There's also a few programs maintained by different groups that use the old Splunk API, so getting this all upgraded quickly to use the new API is a bit of a challenge. But if it's what we gotta do, then so be it. Just figured I'd ask to see whether anyone had any magic bullets or ideas to reduce some of the pain in a migration to the new API. Some documentation comparing the old and new APIs would be helpful, but I can't even find documentation on the old API any longer.