Splunk Search

After splunk job failed, we are unable to fetch the every 5 mins history data.

DKR1
New Member

@links to members

'search earliest=-10m latest=now index= 'xyz'

(host=abcd123 or host=abcd345)

TxnStart2End| rex "Avg=(?<avgRspTime>\d+)"  | rex "count=(?<count>\d+)"  |timechart span=5m

sum(count) as Vol,

avg(avgrsptime) as "ART" | eval TPS=(vol/300) | table _time Vol Avgresptime TPS | sort_time'

 

the above query will fetch every 5 mins records so no worries but the issue is if the splunk job failed and run after half an hour for example:

 

suppose my job last run is 10:00am  and it fetch records until 10:00 AM for every 5 mins spam.

my job got failed at 10:01 am and it will run again at 11:00 am, but in between 10:01 am to 11:00 am data is missing ( so my requirement is I need missing data in the spam of for every 5 mins)

i.e 10:05 data, 10:10 data ...10:50, 10:55 and 11:00 data..

please help with correct query.

Labels (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

How frequently your Splunk job runs (cron schedule)? What do you do with generated report?

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...