overlap
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
overlap
NOte: We do not recommend using the overlap command to fill/backfill summary indexes. There is script, called fill_summary_index.py, that will backfill your indexes or fill summary index gaps. For more information, refer to this Knowledge Manager manual topic.
Synopsis
Finds events in a summary index that overlap in time or have missed events.
Syntax
overlap
Description
Find events in a summary index that overlap in time, or find gaps in time during which a scheduled saved search may have missed events.
Note: If you find a gap, run the search over the period of the gap and summary index the results (using "| collect"). If you find overlapping events, manually delete the overlaps from the summary index by using the search language.
Invokes an external python script (in etc/searchscripts/sumindexoverlap.py), which expects input events from the summary index and finds any time overlaps and gaps between events with the same 'info_search_name' but different 'info_search_id'.
Important: Input events are expected to have the following fields: 'info_min_time', 'info_max_time' (inclusive and exclusive, respectively) , 'info_search_id' and 'info_search_name' fields. If the index contains raw events (_raw), the overlap command will not work. Instead, the index should contain events such as chart, stats, and timechart results.
Examples
Example 1: Find overlapping events in "summary".
index=summary | overlapSee also
collect, sistats, sitop, sirare, sichart, sitimechart
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.