Hello, I have a search that runs in the web application interface (Splunk Enterprise). It returns results as and when log events are present within the search parameters (time window). I execute the exact same search at the same time via the REST API using Postman, it completes (Job status="DONE") but with zero available events or any events at all. Why might that happen? The search is copied and pasted from the web app to the API call in Postman. On occasion, it has worked but maybe one in a thousand calls will fetch results. Thank you. ... View more

In my first post, I need to search Splunk using the REST API. How do I get the system to actually return me some results? Steps POST a search, example:      search=search index=myIndex earliest=-1d "[nice-keyword]" AND "Nice catch-phrase" | rex field=_raw "reportingSystem\":\s+\"(?<system>\d{3})[\s\S]+operationCode\":\s+\"(?<opcode>\w+)[\s\S]+ticketId\":\s+\"(?<ticket>\d*)[\s\S]+transactionCode\":\s+\"(?<txcode>\w+)[\s\S]+NumericCode\":\s+\"(?<agency>\d*)" | table system, opcode, txcode, agency​     In the SEARCH User Interface, this makes a nice report Grab the job search ID. Continually GET the job status of the POSTed search until DONE or something else that helps me stop polling. Ask for the job results. Get 200 OK but no content. How does one actually format a search that can provide actual results via the API? Stumped. For days. I'm using Postman before moving on to my favorite middleware tool. Thank you. ... View more