Overlapped events in summary index when using siti...

ejpulsar · ‎06-16-2014

Hi,
i'm using splunk 6.1.1

I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"

..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE

I've got many overlapping events in Summary index next day.

,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"

Whats wrong in my search or scheduler?

somesoni2 · ‎06-17-2014

My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.

Search time range:   earliest=-62m@m  latest=-2m@m
Schedule type :  cron
Cron schedule :  1-59/59 * * * *
               ( run every 60 min starting from min 1 [2nd min])

This will run at 2nd minute every hour and consider data for full previous hour.

somesoni2 · ‎06-18-2014

The settings looks correct to me.

ejpulsar · ‎06-18-2014

Thanks, i've finally got this settings. Are it correct?

1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)

ejpulsar · ‎06-17-2014

Ahrrgw sorry.

I forgot to delete "earliest=" string at the top of the search.

ejpulsar · ‎06-18-2014

Yes, definetely.

But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.

Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?

ppablo · ‎06-17-2014

Hi @ejpulsar. Did this solve your scheduled search issue?

Overlapped events in summary index when using sitimechart

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?