Getting incomplete (lesser number of events as results ) when using rest API. The same search i run in the splunk enterprise gives 90 events always, but the splunk api returning only 12-14 events(varying). Both the searches have earliest_time=-1d and the exec_mode is oneshot, so i am getting the results back then only. Here i was using search/jobs api and oneshot mode, so the reuslts were incomplete. I read somewhere and rather used post:search/jobs, get: search/jobs/{sid} in a while loop and then retrieved results, but the results still are incomplete. Cant seem to find a solution, would be great if anyone could help, my search looks like this, although not sure if it matters. index="val" [search index="val" field1="val2" | dedup field2 | format] eventstats count by field2
... View more