Re: In search results, why is API ignoring the cou...

kleszczynski · ‎10-03-2018

I'm using API call to retrieve results of the job search/jobs/{search_id}/results.

I'm running the following command:

curl -u admin:password -k "https://<HOST>/rest/services/search/jobs/<JOB_NUMBER>/results?count=1&output_mode=json"

But, no matter what, when I put for count param (0, 1, "asadafa", etc.) I get 100 events (which is default value).

Can there be some Splunk server configuration which makes the count parameter ignored? When I run the query on other Splunk instance it works as expected.

Splunk version: 6.6.6
The server which I'm trying connect to has an endpoint https://<HOST>/rest, which probably redirects to Splunk management API port.

harsmarvania57 · ‎10-04-2018

Can't you connect directly on splunk management port instead of redirecting from https://<HOST>/rest

I am using below command on SPlunk 7.1.2 and it is returning all values (I have more than 3K events in results and all returning in JSON)

curl -k -u admin:password "https://<SPLUNK_SERVER>:8089/services/search/jobs/<JOB_ID>/results?count=0&output_mode=json"

VatsalJagani · ‎10-03-2018

Hi @kleszczynski,
Can you try max_count option while creating search (not while getting the result)?

VatsalJagani · ‎10-03-2018

Hi @kleszczynski, Can you try adding count and output_mode=json into data option in curl?

kleszczynski · ‎10-03-2018

Do you mean -d count=1 -d output_mode=json? I've already tried it - the issue remains the same.

In search results, why is API ignoring the count parameter?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...