Hi,
I have a customer who is exporting data via the REST API, and getting different results from the same time period, when testing, and I can't determine why. The data is kept for 90 days, so it shouldn't be archving. Here's the search:
curl -k -u ${SPLUSR}:${SPLPWD} --url https://lrtp449:8089/services/search/jobs/export --data-urlencode search='search earliest=10/5/2017:11:00:00 latest=10/5/2017:11:10:00 index=main sourcetype="ms:o365:management" | table _raw,_time' -d output_mode=json -o - testfile.$$.json
I run this via cron every 15 minutes, and get different results - sometimes as many as 500 lines or more.
↧