Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Summarization timespan incongruent

TiagoTLD1
Communicator
‎04-27-2017 09:09 AM

Hello,

I have a two environments with the exact same app and saved searches, and the exact same data

In environment 1, the summarization has timespans of 10min, 10s, 1d, 1h, 1min, 1s
In environment 2, the summarization timespans is just 1h.

Why would this happen? And why can't I, by changing the auto.summarize.timespan in the Advanced Edit of the savedsearches, actually change these to the timespans I want?

Thanks in advance

0 Karma
Reply

DalJeanis
Legend
‎04-27-2017 03:02 PM

You are looking exactly the right place... auto_summarize.timespan in savedsearches.conf in the two environments. Are you saying that you have tried to edit taht parameter and it had no effect? Or that you were unable to edit it, or it changed itself back? What's the actual issue?

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#You_ca...

You can manually set summary timespans (but we don't recommend it)
You can set summary timespans manually at the report level in savedsearches.conf by changing the value of the auto_summarize.timespan parameter. If you do set your summary timespans manually, keep in mind that very small timespans can result in extremely slow summary creation times, especially if the summary range is long. On the other hand, large timespans can result in quick-building summaries that cannot not be used by reports with short time ranges. In almost all cases, for optimal performance and usability it's best to let Splunk software determine summary timespans.

0 Karma
Reply

TiagoTLD1
Communicator
‎04-27-2017 03:33 PM

What I am facing is that eventhough I use the auto.summarize.timespan with value of 10s, Splunk still gives me the 1h timespan only.

It seems splunk is ignoring that rule. It doesn't matter what value I put there, it chooses 1h as the only timespan.

I understand that the customization is not recommended and I understand the risks, but at least it shoul allow the suggested parameter to actually have effects on the timespan, which it does not!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...