Hi,
I am trying to do a real-time Splunk search using the REST API. The endpoint I am sending a request to is `services/search/jobs/export` and if I understand the documentation correctly, I should be getting a stream of events that match my search. My problem is that I am not receiving ANY data back. I am 100% sure the events are happening and getting into Splunk, because I can see them through Splunk Web.
More info about the request I am making:
- **earliest_time** and **latest_time** are set to **rt**
- **search_mode** is set to **realtime**. I tried every possible value and still I couldn't get anything back.
The only way I get some data back is if I set the **auto_cancel** parameter to some value. After the search cancels, I get the accumulated results back. What I don't understand is why am I not getting the data streamed back? What am I missing?
I would be really grateful if someone points me in the right direction. Thanks!
↧