Solved: Summary Index -nolocal

emiller42 · ‎04-07-2014

Hello!

I've got a distributed Splunk setup where the indexers and search heads live on separate hosts. (The indexers are also clustered) I'm attempting to backfill a summary search, and make sure that I don't duplicate data where it may already exist. According to the Documentation contained here, there is a -nolocal flag to use in this case specifically. However, when I attempt to use the flag, I get an error stating: Invalid option '-nolocal'

Any idea why the discrepancy?

Here is the full command:

splunk cmd python fill_summary_index.py -app my_app -name summary_search -et -90d@d -lt @h -dedup true -nolocal true -j 8 -owner username -auth username:password

yannK · ‎05-27-2014

The option -nolocal was introduced in splunk 6.0
The documentation is incorrect and will be updated.

View solution in original post

yannK · ‎05-27-2014

The option -nolocal was introduced in splunk 6.0
The documentation is incorrect and will be updated.

emiller42 · ‎05-27-2014

Thank you! Another reason to beg and plead to get our enterprise install upgraded.

Does this mean there is no mechanism to do what I want in Splunk 5.x?

Summary Index -nolocal

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases