Splunk Search

Primary search for earliest=-24h, with subsearch for -15m ?

robgarner
Path Finder

A user has a dashboard made of multiple searches all based on the last 24 hours of a single very large index.
Some panels should show stats based on the full 24 hours, others should only show stats based the last 5 or 15 minutes.

To save resources and speed it up, I'd like to run a single search that returns events for the past 24 hours, then run a sub-search on that result to retrieve the most recent 5 minutes, or 15, or....

How can I do that ?

Thanks,
-Rob

0 Karma

woodcock
Esteemed Legend
0 Karma

robgarner
Path Finder

thank you, i'll review the links and post some results when i've had a chance to experiment !

0 Karma

woodcock
Esteemed Legend
0 Karma

robgarner
Path Finder

i'm under the impression that summary indexing is brittle if you run the risk of events coming in to the index "late". this index is populated by HFs running on a syslog receiver farm and it's not unusual to lose connectivity between the HF and the index cluster for a couple hours.

0 Karma

woodcock
Esteemed Legend

This is all true.

0 Karma

CarsonZa
Contributor

use |append and run the search again as a subsearch with a hard coded time range using earliest=-15m latest=now and your time picker could be 24hrs or you can leave it in your search as well. whatever field you are using to calculate on will need to be different than your main search for instance |"search" |stats count(a) as ex1 |append[|search "search' earliest=-15m latest=now |stats count(a) as ex2] Keep in mind there is a default subsearch timeout of 60s.

0 Karma

robgarner
Path Finder

thanks. my initial experiments haven't been altogether successful, but i'll read and experiment a little more and let you know how i make out.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.