https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400507#M167908 <P>Hello,</P> <P>I have created a saved search to populate summary index. I am running saved search for every 5 minutes.</P> <P>What i want is, first time when the saved search runs, it should run with time range as all time.<BR /> And from the second time on wards, saved search should with time range as "last 5 mins" (ie, latest=now and earliest=last time when ss ran succesfully)</P> <P>So that i will avoid duplicate of data in summary index.</P> <P>How to achieve this?</P> <P>Thanks in advance.</P> Mon, 13 Aug 2018 14:36:54 GMT chinmayc469 2018-08-13T14:36:54Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400507#M167908 <P>Hello,</P> <P>I have created a saved search to populate summary index. I am running saved search for every 5 minutes.</P> <P>What i want is, first time when the saved search runs, it should run with time range as all time.<BR /> And from the second time on wards, saved search should with time range as "last 5 mins" (ie, latest=now and earliest=last time when ss ran succesfully)</P> <P>So that i will avoid duplicate of data in summary index.</P> <P>How to achieve this?</P> <P>Thanks in advance.</P> Mon, 13 Aug 2018 14:36:54 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400507#M167908 chinmayc469 2018-08-13T14:36:54Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400508#M167909 <P>The first all time search, you can probably run manually, there after, you should chose earliest and latest with little bit of padding. latest=now is not a good practice as you are not accounting for the delay in the raw data. You can do something like earliest=-8m@m latest=-3m@m so that you account for 180 seconds of delay depending on how busy your indexers and forwarders are.</P> Mon, 13 Aug 2018 15:59:59 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400508#M167909 pradeepkumarg 2018-08-13T15:59:59Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400509#M167910 <P>Yep, run the first saved search manually then schedule it thereafter </P> Mon, 13 Aug 2018 17:35:09 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400509#M167910 skoelpin 2018-08-13T17:35:09Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400510#M167911 <P>how about in production machines? we will not have access to change once it is gone to production.</P> Tue, 14 Aug 2018 04:48:47 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400510#M167911 chinmayc469 2018-08-14T04:48:47Z https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400511#M167912 <P>I don't get what you're asking.. On your production servers, you should backfill against all-time then once your backfilled, you should set up a scheduled search which will populate your summary index going forward. I would also suggest using the python script to backfill. This gives you the ability to ignore data thats already been backfilled and you can run parallel backfills without duplicates </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Managesummaryindexgapsandoverlaps">https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Managesummaryindexgapsandoverlaps</A></P> Tue, 14 Aug 2018 13:35:18 GMT https://community.splunk.com/t5/Splunk-Search/Question-regarding-summary-index-with-saved-search/m-p/400511#M167912 skoelpin 2018-08-14T13:35:18Z