Hello
It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.
Regards
Hello
It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.
Regards
Makes sense. Thanks. I was hopping that searches would be queued up for a short period of time to avoid having to worry about restarts. The search only takes a few seconds so hopefully this won't be an issue.
If the restart tooks more than 1 minute, then that execution will be skkiped, and you would need to run a command to backfill that missing execution
If the restart take place between executions, then the summary index won't be affected.
Regards
It's a search that is scheduled every 5 minutes to populate a 5 minute summary index. The start time is -6m@m
and finish is -1m@m
with a cron schedule of 1,6,11,16,21,26,31,36,41,46,51,56 * * * *
. If I understand you correctly, if the Splunk server is restarted at 14:30 and the next scheduled search is set to run at 14:31 then it would be skipped?