topic How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes? in Splunk Search

How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?

mrg2k8 — Wed, 20 May 2015 09:31:57 GMT

Hello,

I have a summary that is being run with the following parameters:
Start time (optional): -6m@m
Finish time (optional): -1m@m
Schedule type: Basic
Run every: 5 minutes
Condition: Always
Summary indexing: checked (enabled)

The summary looks after certain data in a large, main index. The search time is about 30 seconds.

I want to send a report every 5 minutes based on a new search on the summary index above.

Which is the best way to accomplish that without messing up the intervals?

For example, I'm worried that if the indexing takes a little longer, the data will be incomplete in the report. Or, if the intervals aren't matched properly, I might run the query for the report over the previous indexing period.

Can someone explain to me if my fears are well founded and point me to some documents describing the issue in more detail?

Thanks.

Re: How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?

jmallorquin — Mon, 28 Sep 2020 19:55:49 GMT

Hi mrg2k8

I don't know if this help you but it worked for me.

I used I savedsearch to generate every 5 min my own summary index adding at the end

the commands

|addinfo
|eval _time = info_search_time <<---- to add to all records the sime timestamp 5 min each time
|table xxx, yyyy, zzzz
|collect index=mysummaryindex

Then i used other search just to collect the events that i want.

Re: How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?

mrg2k8 — Wed, 20 May 2015 12:46:22 GMT

Thanks for the answer. I'll try it.