Hello Nick, thanks for the reply.
I am adding inspects of both searches if that can give us any clues. One from API and other from GUI, I don't see any differences in there in search string, the only difference is of providers. Which I don't understand why would it use different sources if the search is run on a single platform. Anyway the Rest API has more sources and less number of results (110k), and GUI has less sources still more results (375k). The username doesn't matter, it can be one user or different user, all get the same result. And no the sourcetype is never changed, timezones are also same. API will finish the search relatively quickly (less than 30 seconds) compared to GUI (about a minutes).
Thanks!
GUI Search -
`Search job properties
createTime 2011-06-01T07:01:16.000+00:00
cursorTime 2011-05-30T02:30:00.000+00:00
delegate None
diskUsage 0
doneProgress 1.0
dropCount 0
eai:acl {'sharing': 'global', 'perms': {'read': ['user1'], 'write': ['user1']}, 'app': 'search', 'modifiable': 'true', 'can_write': 'true', 'owner': 'user1'}
earliestTime 2011-05-30T02:30:00.000+00:00
eventAvailableCount 10000
eventCount 375218
eventFieldCount 26
eventIsStreaming True
eventIsTruncated False
eventSearch search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00
eventSorting desc
isDone True
isFailed False
isFinalized False
isPaused False
isPreviewEnabled 1
isRealTimeSearch False
isSaved False
isSavedSearch False
isZombie False
keywords earliest::05/30/2011:02:30:00 latest::05/30/2011:06:00:00 sourcetype::bankapp
label None
latestTime 2011-05-30T06:00:00.000+00:00
messages {'info': ['Your timerange was substituted based on your search string', '[splunk-tx-a1p] Your timerange was substituted based on your search string', '[splunk-tx-a2p] Your timerange was substituted based on your search string', '[splunk-tx-a3p] Your timerange was substituted based on your search string', '[splunk-nc-a2p] Your timerange was substituted based on your search string', '[splunk-nc-a3p] Your timerange was substituted based on your search string'], 'warn': ['Unable to distribute to peer named splunk-nc-a1p:8089 at uri https://splunk-nc-a1p:8089 because peer has status = "Down".']}
modifiedTime 2011-06-01T07:18:56.000+00:00
performance {'dispatch.fetch': {'duration_secs': '20.058', 'invocations': '102'}, 'command.search.typer': {'duration_secs': '0.001', 'output_count': '0', 'input_count': '0', 'invocations': '1'}, 'dispatch.timeline': {'duration_secs': '47.979', 'invocations': '102'}, 'command.search.index': {'duration_secs': '0.001', 'invocations': '1'}, 'dispatch.preview': {'duration_secs': '0.101', 'invocations': '101'}, 'command.search.tags': {'duration_secs': '0.001', 'output_count': '0', 'input_count': '0', 'invocations': '1'}, 'command.search.filter': {'duration_secs': '0.001', 'invocations': '1'}, 'command.fields': {'duration_secs': '0.001', 'output_count': '0', 'input_count': '0', 'invocations': '1'}, 'command.search': {'duration_secs': '0.002', 'output_count': '0', 'input_count': '0', 'invocations': '2'}}
priority 5
remoteSearch litsearch ( "sourcetype::bankapp" ) _time>=1306722600.000 _time<1306735200.000 | litsearch sourcetype="bankapp" _time>=1306722600.000 _time<1306735200.000 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
reportSearch None
request {'time_format': '%s.%Q', 'search': 'search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'search', 'latest_time': None, 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': None, 'auto_cancel': '100'}
resultCount 10000
resultIsStreaming True
resultPreviewCount 10000
runDuration 73.526
scanCount 375218
search search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00
searchEarliestTime 1306722600.000000000
searchLatestTime 1306735200.000000000
searchProviders ['splunk-tx-a1p', 'splunk-tx-a2p', 'splunk-tx-a3p', 'splunk-nc-a2p', 'splunk-nc-a3p', 'splunkn-nc-a1p']
sid 1306911674.727
statusBuckets 300
ttl 555
Server info: Splunk 4.1.3, splunksearch, Wed Jun 1 07:19:41 2011; User: user1`
Rest API search -
Splunk Atom Feed: search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00
Updated: 2011-06-01T06:49:28.000+00:00 Splunk build:
search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00
cursorTime 1970-01-01T00:00:00.000+00:00
delegate
diskUsage 0
doneProgress 1.00000
dropCount 0
eai:acl
app search
can_write true
modifiable true
owner user3
perms
read
user3
write
user3
sharing global
earliestTime 2011-05-30T02:30:00.000+00:00
eventAvailableCount 110902
eventCount 110902
eventFieldCount 0
eventIsStreaming 1
eventIsTruncated 0
eventSearch search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00
eventSorting desc
isDone 1
isFailed 0
isFinalized 0
isPaused 0
isPreviewEnabled 0
isRealTimeSearch 0
isSaved 0
isSavedSearch 0
isZombie 0
keywords earliest::05/30/2011:02:30:00 latest::05/30/2011:06:00:00 sourcetype::bankapp
label
latestTime 2011-05-30T06:00:00.000+00:00
messages
info
Your timerange was substituted based on your search string
[splunk-nc-a1p] Your timerange was substituted based on your search string
[splunk-nc-a2p] Your timerange was substituted based on your search string
[splunk-nc-a3p] Your timerange was substituted based on your search string
[splunk-tx-a1p] Your timerange was substituted based on your search string
[splunk-tx-a2p] Your timerange was substituted based on your search string
[splunk-tx-a3p] Your timerange was substituted based on your search string
performance
command.fields
duration_secs 0.001
input_count 0
invocations 1
output_count 0
command.search
duration_secs 0.002
input_count 0
invocations 2
output_count 0
command.search.filter
duration_secs 0.001
invocations 1
command.search.index
duration_secs 0.001
invocations 1
command.search.tags
duration_secs 0.001
input_count 0
invocations 1
output_count 0
command.search.typer
duration_secs 0.001
input_count 0
invocations 1
output_count 0
dispatch.fetch
duration_secs 5.373
invocations 71
dispatch.timeline
duration_secs 3.267
invocations 71
priority 5
remoteSearch litsearch ( "sourcetype::bankapp" ) _time>=1306722600.000 _time<1306735200.000 | litsearch sourcetype="bankapp" _time>=1306722600.000 _time<1306735200.000 | fields keepcolorder=t "host" "index" "source" "sourcetype" "splunk_server"
reportSearch
request
search search sourcetype="bankapp" earliest=05/30/2011:02:30:00 latest=05/30/2011:06:00:00
resultCount 110902
resultIsStreaming 1
resultPreviewCount 110902
runDuration 17.015000
scanCount 110902
searchEarliestTime 1306722600.000000000
searchLatestTime 1306735200.000000000
searchProviders
splunk-nc-a1p
splunk-nc-a2p
splunk-nc-a3p
splunk-tx-a1p
splunk-tx-a2p
splunk-tx-a3p
splunkn-tx-a1p
sid 1306910951.708
statusBuckets 0
ttl 574
events - results - results_preview - timeline - summary - control:
2011-06-01T06:49:28.000+00:00 | user3
... View more