Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Overlapped events in summary index when using sitimechart

ejpulsar
Path Finder
‎06-16-2014 11:30 PM

Hi,
i'm using splunk 6.1.1

I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"

..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE

I've got many overlapping events in Summary index next day.

,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"

Whats wrong in my search or scheduler?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-17-2014 01:05 PM

My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.

Search time range:   earliest=-62m@m  latest=-2m@m
Schedule type :  cron
Cron schedule :  1-59/59 * * * *
               ( run every 60 min starting from min 1 [2nd min])

This will run at 2nd minute every hour and consider data for full previous hour.

Reply

somesoni2
Revered Legend
‎06-18-2014 07:24 AM

The settings looks correct to me.

0 Karma
Reply

ejpulsar
Path Finder
‎06-18-2014 05:19 AM

Thanks, i've finally got this settings. Are it correct?

1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)

0 Karma
Reply

ejpulsar
Path Finder
‎06-17-2014 12:34 AM

Ahrrgw sorry.

I forgot to delete "earliest=" string at the top of the search.

0 Karma
Reply

ejpulsar
Path Finder
‎06-18-2014 02:42 AM

Yes, definetely.

But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.

Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?

0 Karma
Reply

ppablo
Retired
‎06-17-2014 06:17 PM

Hi @ejpulsar. Did this solve your scheduled search issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top