- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Primary search for earliest=-24h, with subsear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Primary search for earliest=-24h, with subsearch for -15m ?
A user has a dashboard made of multiple searches all based on the last 24 hours of a single very large index.
Some panels should show stats based on the full 24 hours, others should only show stats based the last 5 or 15 minutes.
To save resources and speed it up, I'd like to run a single search that returns events for the past 24 hours, then run a sub-search on that result to retrieve the most recent 5 minutes, or 15, or....
How can I do that ?
Thanks,
-Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need a 24-hour base search and then a few post-process searches for each trimmed-down situation:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/Savedsearches#Post-process_searches_2
https://www.packtpub.com/mapt/book/big_data_and_business_intelligence/9781785281396/8/ch08lvl1sec35/...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you, i'll review the links and post some results when i've had a chance to experiment !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This sounds very much like a Summary Index situation:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Configuresummaryindexes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm under the impression that summary indexing is brittle if you run the risk of events coming in to the index "late". this index is populated by HFs running on a syslog receiver farm and it's not unusual to lose connectivity between the HF and the index cluster for a couple hours.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is all true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use |append and run the search again as a subsearch with a hard coded time range using earliest=-15m latest=now and your time picker could be 24hrs or you can leave it in your search as well. whatever field you are using to calculate on will need to be different than your main search for instance |"search" |stats count(a) as ex1 |append[|search "search' earliest=-15m latest=now |stats count(a) as ex2] Keep in mind there is a default subsearch timeout of 60s.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. my initial experiments haven't been altogether successful, but i'll read and experiment a little more and let you know how i make out.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
