Hi
I have a data source that does not roll in on a consistent near-real-time schedule.
I need to send the events to a summary index which feeds another application.
I want to schedule the base search (for the summary index) to run every 15 minutes and look back at the last 30 minutes.
I am not having luck with my syntax and not getting the result I want. I am getting duplicates which I don't want in the summary index.
Any recommendations would be appreciated.
Thank you,
Gunnar
Greetings @Glasses,
There are commands for the sole purpose of properly populating summary indexes:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing
Cheers,
Jacob