Splunk Search

How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?

mrg2k8
Explorer

Hello,

I have a summary that is being run with the following parameters:
Start time (optional): -6m@m
Finish time (optional): -1m@m
Schedule type: Basic
Run every: 5 minutes
Condition: Always
Summary indexing: checked (enabled)

The summary looks after certain data in a large, main index. The search time is about 30 seconds.

I want to send a report every 5 minutes based on a new search on the summary index above.

Which is the best way to accomplish that without messing up the intervals?

For example, I'm worried that if the indexing takes a little longer, the data will be incomplete in the report. Or, if the intervals aren't matched properly, I might run the query for the report over the previous indexing period.

Can someone explain to me if my fears are well founded and point me to some documents describing the issue in more detail?

Thanks.

0 Karma

jmallorquin
Builder

Hi mrg2k8

I don't know if this help you but it worked for me.

I used I savedsearch to generate every 5 min my own summary index adding at the end

the commands

|addinfo
|eval _time = info_search_time <<---- to add to all records the sime timestamp 5 min each time
|table xxx, yyyy, zzzz
|collect index=mysummaryindex

Then i used other search just to collect the events that i want.

0 Karma

mrg2k8
Explorer

Thanks for the answer. I'll try it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...