I have a search as follow:
sourcetype="renprodweb" | sistats count by httprespcode
(with the time range is previous month) Using spunk web, I saved the report, enabled Summary Index, scheduled it to run every 15 minutes. I was able to get the data from the search itself. However, when I tried to run a search against the summary index as the following, I received nothing.
index="summary" searchname="summary - stats count" | stats count by httpresp_code
What am I missing here?
Thanks.
maybe the field has a typo, try with search_name
instead of searchname
Otherwise here are some troubleshooting steps :
Do you have permissions to search the summary index ?
try with index=summary | stats count by search_name
Is the summary indexing enabled
make sure that the spooler batch input is not disabled in the file data inputs $SPLUNK_HOME/var/spool/splunk/...stash_new
Is the summary index local or forwarded to another server that is not searchable ?