Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Overlapped events in summary index when using sitimechart

ejpulsar
Path Finder
‎06-16-2014 11:30 PM

Hi,
i'm using splunk 6.1.1

I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"

..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE

I've got many overlapping events in Summary index next day.

,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"

Whats wrong in my search or scheduler?

Tags (2)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-17-2014 01:05 PM

My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.

Search time range:   earliest=-62m@m  latest=-2m@m
Schedule type :  cron
Cron schedule :  1-59/59 * * * *
               ( run every 60 min starting from min 1 [2nd min])

This will run at 2nd minute every hour and consider data for full previous hour.

Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-18-2014 07:24 AM

The settings looks correct to me.

0 Karma
Reply

ejpulsar
Path Finder
‎06-18-2014 05:19 AM

Thanks, i've finally got this settings. Are it correct?

1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)

0 Karma
Reply

ejpulsar
Path Finder
‎06-17-2014 12:34 AM

Ahrrgw sorry.

I forgot to delete "earliest=" string at the top of the search.

0 Karma
Reply

ejpulsar
Path Finder
‎06-18-2014 02:42 AM

Yes, definetely.

But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.

Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?

0 Karma
Reply

ppablo
Retired
‎06-17-2014 06:17 PM

Hi @ejpulsar. Did this solve your scheduled search issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...