Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Overlapped events in summary index when using sitimechart

ejpulsar
Path Finder
‎06-16-2014 11:30 PM

Hi,
i'm using splunk 6.1.1

I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"

..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE

I've got many overlapping events in Summary index next day.

,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"

Whats wrong in my search or scheduler?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-17-2014 01:05 PM

My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.

Search time range:   earliest=-62m@m  latest=-2m@m
Schedule type :  cron
Cron schedule :  1-59/59 * * * *
               ( run every 60 min starting from min 1 [2nd min])

This will run at 2nd minute every hour and consider data for full previous hour.

Reply

somesoni2
Revered Legend
‎06-18-2014 07:24 AM

The settings looks correct to me.

0 Karma
Reply

ejpulsar
Path Finder
‎06-18-2014 05:19 AM

Thanks, i've finally got this settings. Are it correct?

1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)

0 Karma
Reply

ejpulsar
Path Finder
‎06-17-2014 12:34 AM

Ahrrgw sorry.

I forgot to delete "earliest=" string at the top of the search.

0 Karma
Reply

ejpulsar
Path Finder
‎06-18-2014 02:42 AM

Yes, definetely.

But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.

Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?

0 Karma
Reply

ppablo
Retired
‎06-17-2014 06:17 PM

Hi @ejpulsar. Did this solve your scheduled search issue?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...