Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why am I getting unexpected results when searching a summary index over a "large" timespan?

nilsml
Engager
‎09-29-2015 07:02 AM

I am new to summary indexing, but I've tried to follow the documentation and create a scheduled search that saves the result to a summary index.

The search:

index=my_index source="SomeApp" | sitimechart count by host

This is scheduled to run every 5 minutes and start time is -5m and finish time is now.
On the dashboard I do:

index=summary search_name="Summary - test search" | timechart count by host

This apparently works when searching over a few hours, but when trying to search for more than 5-10 hours, suddenly I get back weird data. Instead of values in the range of 100-1000 I get values in the range of 0-5.
When running the search, values that appear to be valid are shown for some milliseconds and then they are replaced by these 0-5-ish values that make no sense to me.

I guess I am doing something wrong, but not sure what.
Appreciate any help!

[UPDATE]
I did some more testing, and it looks like the correct values are shown when generating preview for the search, but when the final result is shown, I am getting some weird data. To me it looks like some kind of optimization algorithm or something that is applied to the result.

Reply

somesoni2
Revered Legend
‎09-29-2015 08:13 AM

My suggestion would be to try/change these

1) Change the start time and finish time of the search to include little delay to take care of indexing lag. May be use -7m@m to -2m@m to allow 2 extra minute for data to get ingested
2) In your dashboard search like this.

index=summary search_name="Summary - test search" | timechart sum(count) as count by host
Reply

nilsml
Engager
‎09-29-2015 10:29 PM

The -5m - now to -7m@m - -2m@m change was a good suggestion!

Regarding 2), after doing the change in my dashboard, I don't get any results. Should I change the search as well?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...