I have a Java program that uses the Splunk SDK 1.5.0 to set up a service, create a job, and get the result count like so:
HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);
ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername(username);
loginArgs.setPassword(password);
loginArgs.setHost(host);
loginArgs.setPort(8089);
Service service = Service.connect(loginArgs);
Args searchArgs = new Args();
searchArgs.put("earliest_time", "09/01/2015:00:00:00");
searchArgs.put("latest_time", "10/01/2015:00:00:00");
String query = "search index=ats(sourcetype=source) log_type=\"TEST.LOG\"|table _time,ORDER_ID|sort 0 - _time";
Job job = service.getJobs().create(query, searchArgs);
while (!job.isDone()) {
Thread.sleep(500);
}
int resultCount = job.getResultCount(); // number of results this job returned
System.out.println("resultCount: " + resultCount);
Even though the `query`, `earliest_time`, and `latest_time` values remain the same, I am getting a different number of results each time the program runs.
Running this code shows that the maximum result rows is set to `200,000`:
Entity restApi = service.getConfs().get("limits").get("restapi");
int maxResults = Integer.parseInt((String)restApi.get("maxresultrows"));
The `resultCount` varies between 1,500,000 - 1,700,000. Is there something else I'm missing that leads to this inconsistency?
↧