My search is a scheduled report and calls the
now()function to only get entries from a specific time away, using the
relative_time method. However, the search is usually executed 2-5 seconds late (I don't know why, but that's what the splunk job report says) so I think it'll miss entries which were done 1 second past the clock. So how do I get the
now() function to round down so the missing records are taken in as well?
you can not only use
relative_time(), you can use also things like
-2d@d which will snap to the minute or hour.
See the docs for more information on this topic http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch