I am trying to use Splunk REST API to get my saved searches from splunk, create a search job with that query and then fetch the results for the returned SID. The problem I am experiencing is that whenever I fetch the results for the given SID it returns the response as:
{"preview": false,"init_offset": 0,"post_process_count": 0,"messages": [],"results": []}which means there are no results for that query but when I search this query on Splunk's UI I get 820 events as results.
I tried using the adhoc_search_level=verbose in body of the request but it doesn't make any changes to the result. If I remove the stats keyword from the query it returns the results but whenever I try to use the stats command it returns an empty list of results. I also checked the job_manager of Splunk so when I made a post request to this URL https://localhost:8089/services/search/jobs?output_mode=json the job manager shows a job created which has 820 events in it with the same query I passed in the post request. But when I try to fetch the results with SID it returns 0 results.
Here is the search query:
search index="linux_sys" sourcetype="syslog" ("Failed password" OR "authentication failure")| stats count by user, src_ip| where count > 5| sort - count