Splunk Search

How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?



I have a summary that is being run with the following parameters:
Start time (optional): -6m@m
Finish time (optional): -1m@m
Schedule type: Basic
Run every: 5 minutes
Condition: Always
Summary indexing: checked (enabled)

The summary looks after certain data in a large, main index. The search time is about 30 seconds.

I want to send a report every 5 minutes based on a new search on the summary index above.

Which is the best way to accomplish that without messing up the intervals?

For example, I'm worried that if the indexing takes a little longer, the data will be incomplete in the report. Or, if the intervals aren't matched properly, I might run the query for the report over the previous indexing period.

Can someone explain to me if my fears are well founded and point me to some documents describing the issue in more detail?


0 Karma


Hi mrg2k8

I don't know if this help you but it worked for me.

I used I savedsearch to generate every 5 min my own summary index adding at the end

the commands

|eval _time = info_search_time <<---- to add to all records the sime timestamp 5 min each time
|table xxx, yyyy, zzzz
|collect index=mysummaryindex

Then i used other search just to collect the events that i want.

0 Karma


Thanks for the answer. I'll try it.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...