Splunk Search

Overlapped events in summary index when using sitimechart

ejpulsar
Path Finder

Hi,
i'm using splunk 6.1.1

I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"

..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE

I've got many overlapping events in Summary index next day.

,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"

Whats wrong in my search or scheduler?

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.

Search time range:   earliest=-62m@m  latest=-2m@m
Schedule type :  cron
Cron schedule :  1-59/59 * * * *
               ( run every 60 min starting from min 1 [2nd min])

This will run at 2nd minute every hour and consider data for full previous hour.

somesoni2
SplunkTrust
SplunkTrust

The settings looks correct to me.

0 Karma

ejpulsar
Path Finder

Thanks, i've finally got this settings. Are it correct?

1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)

0 Karma

ejpulsar
Path Finder

Ahrrgw sorry.

I forgot to delete "earliest=" string at the top of the search.

0 Karma

ejpulsar
Path Finder

Yes, definetely.

But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.

Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?

0 Karma

ppablo
Retired

Hi @ejpulsar. Did this solve your scheduled search issue?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...