I'm doing Splunk search at 5 minute intervals. Getting data every 5 minutes. For example, earliest="07/10/2021:07:35:00" AND latest="07/10/2021:07:40:00", next interval will be earliest="07/10/2021:07:40:00" AND latest="07/10/2021:07:45:00". So the question is, when we have a log at exactly 07:40:00, will the log duplicate on both the intervals? I've done some analysis on the same. Splunk will provide the data in milliseconds, 07:40:00.000 The millisecond position can go up to, "07:40:00.000000". When I try to search this, the log time is considered as 07:39:59.999 but it's going in to the 07:40 to 07:45 interval and is not being duplicated. Why is "07:40:00.000000" considered as 07:39:59.999? If it is considered as 07:39:59.999 why is it going to the latter time interval? Is this splunk's mechanism to avoid duplication? Can someone please explain how earliest time and latest time is considered by splunk in milliseconds when doing the search?
... View more