- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I report on only current data in a file be...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A file is being referenced, that is updated every minute.
I would like to report on data that only exists in that file for the last minute.
Background: The data in the file is for outage events. When an outage occurs, the data has the estimated restoration time.
If the outage is restored, the data no longer exists on this file.
Right now I am I am keying off of the restoration value in the file. Using this logic is not accurate, because in most cases the outage has been restored before the estimated restoration.
|eval completed_time=strptime(ert, "%Y-%m-%dT%H:%M:%S") | eval now=now() | where completed_time>now
What is happening is the data does not fall off the dashboard till the restoration time is past present time.
How can I report only on data that exists in this file? Again the file is refreshed every minute with only current outage data.
Appreciate your time and thoughts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the _index_earliest and _index_latest relative timerange specifier to only use the data indexed in last minutes. Based on how the timestamp appears on your data, you may need to use a large time range period so that all data is included. Try like this
your base search _index_earliest=-1m@m _index_latest=@m | rest of the search
See more info on timerange modifier here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SearchTimeModifiers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the _index_earliest and _index_latest relative timerange specifier to only use the data indexed in last minutes. Based on how the timestamp appears on your data, you may need to use a large time range period so that all data is included. Try like this
your base search _index_earliest=-1m@m _index_latest=@m | rest of the search
See more info on timerange modifier here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SearchTimeModifiers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works perfect and thank you for the link.
Thank you!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
