i'm using splunk 6.1.1
I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"
.. | where isnotnull(HAS_ERROR_TYPE) | dedup SID1 | sitimechart span=1h count by HAS_ERROR_TYPE
I've got many overlapping events in Summary index next day.
,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"
Whats wrong in my search or scheduler?
But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.
Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?
My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.
Search time range: earliest=-62m@m latest=-2m@m Schedule type : cron Cron schedule : 1-59/59 * * * * ( run every 60 min starting from min 1 [2nd min])
This will run at 2nd minute every hour and consider data for full previous hour.
Thanks, i've finally got this settings. Are it correct?
1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)