Splunk Search

How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?



I have a summary that is being run with the following parameters:
Start time (optional): -6m@m
Finish time (optional): -1m@m
Schedule type: Basic
Run every: 5 minutes
Condition: Always
Summary indexing: checked (enabled)

The summary looks after certain data in a large, main index. The search time is about 30 seconds.

I want to send a report every 5 minutes based on a new search on the summary index above.

Which is the best way to accomplish that without messing up the intervals?

For example, I'm worried that if the indexing takes a little longer, the data will be incomplete in the report. Or, if the intervals aren't matched properly, I might run the query for the report over the previous indexing period.

Can someone explain to me if my fears are well founded and point me to some documents describing the issue in more detail?


0 Karma


Hi mrg2k8

I don't know if this help you but it worked for me.

I used I savedsearch to generate every 5 min my own summary index adding at the end

the commands

|eval _time = info_search_time <<---- to add to all records the sime timestamp 5 min each time
|table xxx, yyyy, zzzz
|collect index=mysummaryindex

Then i used other search just to collect the events that i want.

0 Karma


Thanks for the answer. I'll try it.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!