Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Indexing of data that does not have timestamp but just date

splunkears
Path Finder
โ€Ž10-24-2013 02:16 PM

How do we index a data file which is an aggregated data for a given day. The data does not contain timestamp.
Splunk gives an error while searching- saying that "Error in IndexScopedSearch: The search failed. More than XXX events found at time t"

I've looked at these forums and found the following link, which tells me its a limitation on Splunk.

  1. Max number events at the same timestamp
  2. Tuning Search with more than 250K events at one timestamp
  3. Disable timestamp processor

Consider the following use-case.
Imagine, you are looking at a stock price data on a day-scale for 6 months. The data file in this case, may contain ticker price for a given day. If the data points are more than 100K, since there is no timestamp, Splunk given the error during search time.

Has anyone figured how to workaround this?

0 Karma
Reply

rabitoblanco
Path Finder
โ€Ž03-16-2016 11:31 AM

Sounds like a good candidate for a daily summary. This way, you would have one value per day (or one value per hour) --or several values such as avg, max, min, etc.--depending on the level of granularity you want. This could make it easy to see a larger (yearly) timeframe.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Usesummaryindexing

0 Karma
Reply