After upgrade to Splunk 5, search/jobs/export stopped returning valid JSON on request. Upon inspection, I see that it returns preview results in addition to the final one.
How do I make it return only finalized result?
I tried adding "exec_mode=oneshot" in the post data, but this has no effect. I tried adding the same thing in the search string, but instead of getting only final result, the search is finalized before I get full results.
Here are some examples of correct results, but invalid json (this happens with or without exe_mode set in post data):
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"7.451046943"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"72.3570270548"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"462.3673467760"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"730.9158630706"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"942.3713274259"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"1089.2731590699"}}
{"preview":false,"offset":0,"lastrow":true,"result":{"sum(MB)":"1089.2731590699"}}
Here is the result when I run the same query with exec_mode=oneoff in the search string itself:
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"7.343144416"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"71.4846410748"}}
{"preview":true,"offset":0,"lastrow":true,"result":{"sum(MB)":"209.8987865451"}}
{"preview":false,"offset":0,"lastrow":true,"result":{"sum(MB)":"209.8987865451"}}
Splitting the result by new line, and then grabbing only the last one is not an option, as most of the searches that I have to do through the API run for an hour or so, and produce massive resultset.
Let me know if additional information is needed.
... View more