Re: Duplicate entries produced by saved search in ...

lahariveerlapat · ‎06-11-2014

I have 28 saved searches and each one of the searches is executed in 5 mins gaps. Even though I have dispersed the schedule, the summary index has double the entries of saved searches.
Any ideas or solutions are appreciated.

lguinn2 · ‎06-19-2014

I don't know why, but I see weirdness in your savedsearches.conf stanza:

auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 45 0 *  
dispatch.earliest_time = -1d@d
dispatch.latest_time = -0d@d

I think this should be

auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 45 0 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = -0d@d

Also, have you accelerated this search? If yes, I would probably turn off acceleration.

If this doesn't help, what is the actual search string?

It looks like this search should run once per day at 12:45 am and summarize for the previous day.

lahariveerlapat · ‎06-12-2014

the search timeframe of each searches are -1d@d to -0d@d.

action.email.reportServerEnabled = 0
action.summary_index = 1
action.summary_index._name = sampleindex
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 45 0 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = -0d@d

display.general.type = statistics
display.page.search.mode = verbose
display.visualizations.show = 0
enableSched = 1
realtime_schedule = 0

s2_splunk · ‎06-12-2014

What is the search timeframe for each search...?
Can you post an example from your savedsearches.conf?

Duplicate entries produced by saved search in summary index

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?