Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I report on only current data in a file being refreshed every minute?

bcarnot
Path Finder
‎03-08-2017 11:55 AM

A file is being referenced, that is updated every minute.
I would like to report on data that only exists in that file for the last minute.

Background: The data in the file is for outage events. When an outage occurs, the data has the estimated restoration time.
If the outage is restored, the data no longer exists on this file.

Right now I am I am keying off of the restoration value in the file. Using this logic is not accurate, because in most cases the outage has been restored before the estimated restoration.

|eval completed_time=strptime(ert, "%Y-%m-%dT%H:%M:%S") | eval now=now() | where completed_time>now

What is happening is the data does not fall off the dashboard till the restoration time is past present time.

How can I report only on data that exists in this file? Again the file is refreshed every minute with only current outage data.

Appreciate your time and thoughts.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎03-08-2017 01:34 PM

You can use the _index_earliest and _index_latest relative timerange specifier to only use the data indexed in last minutes. Based on how the timestamp appears on your data, you may need to use a large time range period so that all data is included. Try like this

your base search _index_earliest=-1m@m _index_latest=@m | rest of the search

See more info on timerange modifier here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SearchTimeModifiers

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎03-08-2017 01:34 PM

You can use the _index_earliest and _index_latest relative timerange specifier to only use the data indexed in last minutes. Based on how the timestamp appears on your data, you may need to use a large time range period so that all data is included. Try like this

your base search _index_earliest=-1m@m _index_latest=@m | rest of the search

See more info on timerange modifier here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

bcarnot
Path Finder
‎03-09-2017 09:15 AM

This works perfect and thank you for the link.
Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...