https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343079#M101613 <P>A file is being referenced, that is updated every minute.<BR /> I would like to report on data that <STRONG>only exists in that file for the last minute</STRONG>.</P> <P>Background: The data in the file is for outage events. When an outage occurs, the data has the estimated restoration time.<BR /> If the outage is restored, the data no longer exists on this file. </P> <P>Right now I am I am keying off of the restoration value in the file. Using this logic is not accurate, because in most cases the outage has been restored before the estimated restoration.</P> <PRE><CODE>|eval completed_time=strptime(ert, "%Y-%m-%dT%H:%M:%S") | eval now=now() | where completed_time&gt;now </CODE></PRE> <P>What is happening is the data does not fall off the dashboard till the restoration time is past present time.</P> <P>How can I report only on data that exists in this file? Again the file is refreshed every minute with only current outage data.</P> <P>Appreciate your time and thoughts.</P> Wed, 08 Mar 2017 19:55:31 GMT bcarnot 2017-03-08T19:55:31Z https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343079#M101613 <P>A file is being referenced, that is updated every minute.<BR /> I would like to report on data that <STRONG>only exists in that file for the last minute</STRONG>.</P> <P>Background: The data in the file is for outage events. When an outage occurs, the data has the estimated restoration time.<BR /> If the outage is restored, the data no longer exists on this file. </P> <P>Right now I am I am keying off of the restoration value in the file. Using this logic is not accurate, because in most cases the outage has been restored before the estimated restoration.</P> <PRE><CODE>|eval completed_time=strptime(ert, "%Y-%m-%dT%H:%M:%S") | eval now=now() | where completed_time&gt;now </CODE></PRE> <P>What is happening is the data does not fall off the dashboard till the restoration time is past present time.</P> <P>How can I report only on data that exists in this file? Again the file is refreshed every minute with only current outage data.</P> <P>Appreciate your time and thoughts.</P> Wed, 08 Mar 2017 19:55:31 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343079#M101613 bcarnot 2017-03-08T19:55:31Z https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343080#M101614 <P>You can use the _index_earliest and _index_latest relative timerange specifier to only use the data indexed in last minutes. Based on how the timestamp appears on your data, you may need to use a large time range period so that all data is included. Try like this</P> <PRE><CODE>your base search _index_earliest=-1m@m _index_latest=@m | rest of the search </CODE></PRE> <P>See more info on timerange modifier here: <A href="https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SearchTimeModifiers" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SearchTimeModifiers</A></P> Tue, 29 Sep 2020 13:11:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343080#M101614 somesoni2 2020-09-29T13:11:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343081#M101615 <P>This works perfect and thank you for the link.<BR /> Thank you!</P> Thu, 09 Mar 2017 17:15:27 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-report-on-only-current-data-in-a-file-being-refreshed/m-p/343081#M101615 bcarnot 2017-03-09T17:15:27Z