https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543587#M153976 <P>There's often (usually) a delay from when an event is generated and when it is searchable within Splunk.&nbsp; That delay can exceed 30 seconds and is why many Enterprise Security searches use <FONT face="courier new,courier">latest=-1m</FONT> rather than <FONT face="courier new,courier">latest=now</FONT>.</P><P>There may be other explanations, like a <FONT face="courier new,courier">transaction</FONT> command discarding events because they aren't (yet) part of a complete transaction.</P> Fri, 12 Mar 2021 20:30:36 GMT richgalloway 2021-03-12T20:30:36Z https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543580#M153974 <P>Hello,</P><P>I recently faced an issue when populating a summary index. I scheduled a saved search to run every hour (with the last 60 minutes time range) and populate a summary index. The search takes around 5 minutes every time to be completed. My problem is&nbsp;that&nbsp;<SPAN>every time this scheduled search runs to populate the index, events in the last 30 seconds of the time range will be discarded from the results by Splunk.&nbsp;</SPAN><SPAN>For example, for&nbsp;a one-hour time range like 9:00:00 to 10:00:00, the index is only populated with the events from 9:00:00 to 9:59:30. This issue caused some gaps and discrepancies in our index data.&nbsp; Is there any way to solve this?<BR /></SPAN></P><P><SPAN>I searched a lot but couldn't find any answer <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></SPAN></P><P><SPAN>Thanks.</SPAN></P> Fri, 12 Mar 2021 18:50:41 GMT https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543580#M153974 Sharzi 2021-03-12T18:50:41Z https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543587#M153976 <P>There's often (usually) a delay from when an event is generated and when it is searchable within Splunk.&nbsp; That delay can exceed 30 seconds and is why many Enterprise Security searches use <FONT face="courier new,courier">latest=-1m</FONT> rather than <FONT face="courier new,courier">latest=now</FONT>.</P><P>There may be other explanations, like a <FONT face="courier new,courier">transaction</FONT> command discarding events because they aren't (yet) part of a complete transaction.</P> Fri, 12 Mar 2021 20:30:36 GMT https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543587#M153976 richgalloway 2021-03-12T20:30:36Z https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543601#M153979 <P>I usually schedule summary index updates at least 5 minutes past the hour for the previous hour, just to give the indexers time to do their work.</P> Fri, 12 Mar 2021 22:36:00 GMT https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543601#M153979 ITWhisperer 2021-03-12T22:36:00Z https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543886#M154062 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;,</P><P>We don't have any transaction command in our search query, but as you said, the problem was "latest".</P><P>I changed the "latest" and now it is working fine! Thanks.</P><P>&nbsp;</P> Mon, 15 Mar 2021 15:47:44 GMT https://community.splunk.com/t5/Splunk-Search/Scheduled-search-for-populating-summary-index-ignores-the-last/m-p/543886#M154062 Sharzi 2021-03-15T15:47:44Z