start and finish time to be set for summary index ...

nivethainspire_ · ‎07-20-2017

I am trying to create summary index from UI, cron scheduled everyday at 9.30AM (30 9 * * *)
My requirement is I should see the data in dashboard for last 24 hours. Right now I set
start time as @d and finish time as now - I get data from today 9.30 AM to nextday 12.00AM
start time as -d and finish time as now - I get data from day before data
what is start and finish time to be set for this summary index?

o_calmels · ‎07-21-2017

Hi,

The answer depends on yout need:
To get data during the entire last day only, you can use earliest=@d latest=-1d@d (the @day flag specify that you want entire day)
To get, exactly last 24 h (including minutes), so, from last day 9:30 AM to now, you can use : earliest=-24h@min, latest=now(the @min flag specify that you want time range with minutes details).

You can test these expresions in search app > Click "time range " and select "Advanced time range option". when you set values in the boxes, the effective time is calculated (documentation : https://docs.splunk.com/Documentation/Splunk/latest/Search/Selecttimerangestoapply)
Hope that helps.

Olivier.

start and finish time to be set for summary index to get data for last 24 hours

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms