Hi,
I am using the python SDK to make the following query
search sourcetype=WinEventLog:Security earliest=<epoch_time_1> latest=<epoch_time_2>
The difference between the two epoch times is 30 seconds. If I cut and past the query into Splunk GUI, I get slightly larger set of results. I use the same account for making the query in both cases. Depending on the source e.g., the more busier the source, I get a big difference. I see anywhere from a difference of 10 to 2000 results. What could I be doing wrong ?
-mohan
... View more