I'm retrieving data from Splunk using rest API via production port 8980, on the GUI I can see 770 events when I retrieve data I got less then a 100.
here is my code in Java to retrieve data:
public JSONObject Post_request() throws IOException, ParseException {
String Query = "search " + OS_Vuln_Query;
Job job = session.make_Request().getJobs().create(Query);
while (!job.isDone()) {
try {
} catch (InterruptedException e) {
JobResultsArgs resultsArgs = new JobResultsArgs();
InputStream results = job.getResults(resultsArgs);
BufferedReader br = new BufferedReader(new InputStreamReader(results));
StringBuilder sb = new StringBuilder();
String line;
while ((line = br.readLine()) != null)
JSONParser parser = new JSONParser();
JSONObject json = (JSONObject) parser.parse(sb.toString());
String vulns_as_string = json.get("results").toString();
JSONArray vulns_to_json = (JSONArray) parser.parse(vulns_as_string);
if (vulns_to_json.size()>0)
System.out.print("Splunk return results");
for (int v = 0; v < vulns_to_json.size(); v++)
String vuln_as_string = vulns_to_json.get(v).toString();
Vulnerability vulnerability = new Gson().fromJson(vuln_as_string, Vulnerability.class);
data_Parsed = true;
return json;
System.out.print("Splunk return empty results");
return null;
I make request to Splunk from different class - it return service which I used to pass queries to splunk
I figure it out from Splunk Documentation, wasn't really in the beginning. resultsargs if not set to 0 will return the first 100 results only. to fix that just set setcount in resultsArgs to 0:
resultsArgs.setCount(0); // to return all results