overlap
overlap
Note: We do not recommend using the overlap command to fill/backfill summary indexes. There is script, called fill_summary_index.py, that will backfill your indexes or fill summary index gaps. For more information, refer to this Knowledge Manager manual topic.
Synopsis
Finds events in a summary index that overlap in time or have missed events.
Syntax
overlap
Description
Find events in a summary index that overlap in time, or find gaps in time during which a scheduled saved search may have missed events.
- If you find a gap, run the search over the period of the gap and summary index the results (using "| collect").
- If you find overlapping events, manually delete the overlaps from the summary index by using the search language.
The overlap command invokes an external python script (in etc/searchscripts/sumindexoverlap.py), which expects input events from the summary index and finds any time overlaps and gaps between events with the same 'info_search_name' but different 'info_search_id'.
Important: Input events are expected to have the following fields: 'info_min_time', 'info_max_time' (inclusive and exclusive, respectively) , 'info_search_id' and 'info_search_name' fields. If the index contains raw events (_raw), the overlap command will not work. Instead, the index should contain events such as chart, stats, and timechart results.
Examples
Example 1: Find overlapping events in "summary".
index=summary | overlapSee also
collect, sistats, sitop, sirare, sichart, sitimechart
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the overlap command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.