Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting unexpected results when searching a summary index over a "large" timespan?

nilsml
Engager
‎09-29-2015 07:02 AM

I am new to summary indexing, but I've tried to follow the documentation and create a scheduled search that saves the result to a summary index.

The search:

index=my_index source="SomeApp" | sitimechart count by host

This is scheduled to run every 5 minutes and start time is -5m and finish time is now.
On the dashboard I do:

index=summary search_name="Summary - test search" | timechart count by host

This apparently works when searching over a few hours, but when trying to search for more than 5-10 hours, suddenly I get back weird data. Instead of values in the range of 100-1000 I get values in the range of 0-5.
When running the search, values that appear to be valid are shown for some milliseconds and then they are replaced by these 0-5-ish values that make no sense to me.

I guess I am doing something wrong, but not sure what.
Appreciate any help!

[UPDATE]
I did some more testing, and it looks like the correct values are shown when generating preview for the search, but when the final result is shown, I am getting some weird data. To me it looks like some kind of optimization algorithm or something that is applied to the result.

Reply

somesoni2
Revered Legend
‎09-29-2015 08:13 AM

My suggestion would be to try/change these

1) Change the start time and finish time of the search to include little delay to take care of indexing lag. May be use -7m@m to -2m@m to allow 2 extra minute for data to get ingested
2) In your dashboard search like this.

index=summary search_name="Summary - test search" | timechart sum(count) as count by host
Reply

nilsml
Engager
‎09-29-2015 10:29 PM

The -5m - now to -7m@m - -2m@m change was a good suggestion!

Regarding 2), after doing the change in my dashboard, I don't get any results. Should I change the search as well?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...