- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Fill_Summary_Index.py fails after a summary index ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created a summary index, and populated it with a search.
I found later that the search was flawed, so I deleted the source from that index:
index=summary-myindex source=summarysource | delete
So far, all attempts to use fill_summary_index.py have failed for the Corrected Search. I have tried a new index.
When I run the search on the original non-summary index, the results are normal. If I try to use fill_summary_index.py the result is nothing. The fill_summary_index.py runs without errors, but nothing is added to the specified summary index – Manager>Indexes shows nothing in the index.
I created a new scheduled search with a new name (source) with the corrected search, but nothing is added to the new summary-index. When run manually there are results.
What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Time. I found I was missing time.
A few days later when I got around to looking at the problem again, the same populating search that had populated nothing earlier started populating the summary index.
This has to be a bug, but I can't quite squash it yet. When I get more time I'll look into it...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Time. I found I was missing time.
A few days later when I got around to looking at the problem again, the same populating search that had populated nothing earlier started populating the summary index.
This has to be a bug, but I can't quite squash it yet. When I get more time I'll look into it...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a big fan of dedup, and I was using it. I'm gonna have to check my .stash results for something missing....
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(due to the char limit I couldn't include this bit above).
The other possibility was that the .stash results were not being ingested by the indexer for some reason (normally only an issue in distributed environments).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Normally that will only occur if you had ANY event in that summary index for that timeframe. This checking is only done if you use the "-dedup true" command line option.
There is also an issue with the script's dedup search (line #33) if your in a distributed environment (multiple indexes + search heads). Edit it and remove the "splunk_server=local" section. In a nutshell it does a simple check for existing events for that time span in the summary index. If it find ANYTHING at all in a search time frame the search will not run for that particular time frame and will be reported as "skipped".
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
