topic Re: I am running an import script for an interval of 5 mins to collect data from all sourcetypes and put it into a summary index. in Splunk Search

I am running an import script for an interval of 5 mins to collect data from all sourcetypes and put it into a summary index.

Gunjan92 — Fri, 06 Mar 2020 19:22:32 GMT

I have a situation where in the span of 10 mins there could be a possibility that we didn't get any data from one of the sourcetype for one interval but started getting data for next interval, by this way I am loosing data in summary index. Any suggestion would be helpful.

So this random source is collecting data from all the sourcetypes.

Re: I am running an import script for an interval of 5 mins to collect data from all sourcetypes and put it into a summary index.

anmolpatel — Mon, 09 Mar 2020 10:41:55 GMT

Don't really understand the question. Can you please elaborate or provide an example?

Re: I am running an import script for an interval of 5 mins to collect data from all sourcetypes and put it into a summary index.

woodcock — Sun, 15 Mar 2020 21:39:27 GMT

This is the reason that most searches of this type run at least 5 minutes back in time, preferably an hour or more. There really is no way around it. You can examine your latency with a search like this:

|tstats max(_indextime) AS indextime WHERE index=_* OR index=* BY index sourcetype _time
| stats avg(eval(indextime - _time)) AS latency BY index sourcetype
| fieldformat latency = tostring(latency, "duration")
| sort 0 - latency