Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can Splunk report on original events, even if new events for same day get indexed later?

maverick
Splunk Employee
Splunk Employee
‎02-28-2011 04:19 PM

Suppose you have the following scenario:

  • 1 - Logs come in for a certain day, say Feb 5, 2011
  • 2 - A report is generated for Feb 5, 2011
  • 3 - After the report is generated, could be some days afterward, some additional logs arrive for Feb 5, 2011
    (i.e. there was a delay in sending them on the day the log was generated on the device)

    • Now, suppose your requirement is if a report is re-generated for Feb 5, 2011, it must match the original results, ignoring any of the new data for Feb 5 that came in and got indexed afterward.

    Is there a way to do this in Splunk? If so, what would be the most efficient way? Summary Indexing, perhaps?

    Reply
    1 Solution
    Solved! Jump to solution
    Solution

    tmartin
    Splunk Employee
    Splunk Employee
    ‎02-28-2011 04:49 PM

    Another suggestion is to sort out ONLY events that are indexed on Feb 5, 2011 using the internal field _indextime.

    View solution in original post

    Reply
    Solved! Jump to solution

    DrewO
    Splunk Employee
    Splunk Employee
    ‎02-28-2011 04:52 PM

    Hey Mavrick,

    To do this base your report off of a scheduled search. Keep those results around for a week or longer depending on the time window here and have that report load from cache in a dashboard.

    Also consider setting up the search as a pdf alert, then you have the pdf frozen in time, and accessible afterward.

    D

    0 Karma
    Reply
    Solved! Jump to solution
    Solution

    tmartin
    Splunk Employee
    Splunk Employee
    ‎02-28-2011 04:49 PM

    Another suggestion is to sort out ONLY events that are indexed on Feb 5, 2011 using the internal field _indextime.

    Reply
    Solved! Jump to solution

    maverick
    Splunk Employee
    Splunk Employee
    ‎02-28-2011 04:46 PM

    One way might be to run a daily report that summarizes the report statistics into the summary index (different index) and then from that point forward, you would recreate the report from the summary index instead of the raw events in main index, thus avoiding the possibility of including the extra events that got indexed late.

    Reply
    Solved! Jump to solution

    maverick
    Splunk Employee
    Splunk Employee
    ‎02-28-2011 04:48 PM

    you could probably also add in a new field called "reportdate" into the summary report with the text-based date value like "Feb 5, 2001" and then search on that field.

    0 Karma
    Reply
    Get Updates on the Splunk Community!

    Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

    WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

    Splunk APM: New Product Features + Community Office Hours Recap!

    Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

    Index This | Forward, I’m heavy; backward, I’m not. What am I?

    April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...