- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Overlapped events in summary index when using ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Overlapped events in summary index when using sitimechart
Hi,
i'm using splunk 6.1.1
I made this si- search and scheduled it to run "every hour" at period -1h@m to "now"
..
| where isnotnull(HAS_ERROR_TYPE)
| dedup SID1
| sitimechart span=1h count by HAS_ERROR_TYPE
I've got many overlapping events in Summary index next day.
,"2014-05-25T00:00:00.000+0400",,"Summary Index - USSD","Summary Index - USSD","Found overlap in saved search 'Summary Index - USSD' between search ids: '1402966801.531' and '1402974001.568' from 'Sun May 25 00:00:00 2014' to 'Tue Jun 17 05:00:01 2014'","Sun May 25 00:00:00 2014","Tue Jun 17 05:00:01 2014"
Whats wrong in my search or scheduler?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My opinion will be to avoid using now for summary index searches. The schedule/data you're querying can be achieved by following and may be more accurate.
Search time range: earliest=-62m@m latest=-2m@m
Schedule type : cron
Cron schedule : 1-59/59 * * * *
( run every 60 min starting from min 1 [2nd min])
This will run at 2nd minute every hour and consider data for full previous hour.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The settings looks correct to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, i've finally got this settings. Are it correct?
1) Start Time: -1h@h
2) End Time: @h
3) Cron Schedule: 5 ! ! ! !
(!=*, incorrect site formatting)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahrrgw sorry.
I forgot to delete "earliest=" string at the top of the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, definetely.
But I'm upset that si- commands acts as collect command and didn't help to automate filling gaps in summary index.
Are there any trick to construct search to fill all summary index gaps which was a week or a month ago?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ejpulsar. Did this solve your scheduled search issue?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
