Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I correctly search (and send report on) the last 5 minutes on an index that's generated every 5 minutes?

mrg2k8
Explorer
‎05-20-2015 02:31 AM

Hello,

I have a summary that is being run with the following parameters:
Start time (optional): -6m@m
Finish time (optional): -1m@m
Schedule type: Basic
Run every: 5 minutes
Condition: Always
Summary indexing: checked (enabled)

The summary looks after certain data in a large, main index. The search time is about 30 seconds.

I want to send a report every 5 minutes based on a new search on the summary index above.

Which is the best way to accomplish that without messing up the intervals?

For example, I'm worried that if the indexing takes a little longer, the data will be incomplete in the report. Or, if the intervals aren't matched properly, I might run the query for the report over the previous indexing period.

Can someone explain to me if my fears are well founded and point me to some documents describing the issue in more detail?

Thanks.

0 Karma
Reply

jmallorquin
Builder
‎05-20-2015 04:45 AM

Hi mrg2k8

I don't know if this help you but it worked for me.

I used I savedsearch to generate every 5 min my own summary index adding at the end

the commands

|addinfo
|eval _time = info_search_time <<---- to add to all records the sime timestamp 5 min each time
|table xxx, yyyy, zzzz
|collect index=mysummaryindex

Then i used other search just to collect the events that i want.

0 Karma
Reply

mrg2k8
Explorer
‎05-20-2015 05:46 AM

Thanks for the answer. I'll try it.

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!