I am testing this script to be utilised in production and in my test-bed i found that this script is not doing the dedup, meaning even if the saved search, that populates the summary index, had run at a particular time (say 5 am), script is still triggering the search at the same moment when this time (5 am) falls in the -et #### -lt #####
range and writing the data in to summary index causing duplication >> affecting the stats badly.
Search trigger command --
/opt/splunk/bin/splunk cmd python fill_summary_index.py -app <app_name> -name '<saved_search_name>' -et 1420781400 -lt 1420788600 -dedup true -auth admin:<pwd>
I have already included the -dedup true
argument.
I am aware that this -dedup true
is different from the search command | dedup
and its being triggered on search head (with forward data enabled to indexers) - Splunk 6.0.4 (build 207768)
Correct me if I am missing anything, thanks in advance!!
Got the hack, was missing an argument of nolocal -
/opt/splunk/bin/splunk cmd python fill_summary_index.py -app -name -et -7d@d -lt @d -dedup true -nolocal true -auth admin:
Got the hack, was missing an argument of nolocal -
/opt/splunk/bin/splunk cmd python fill_summary_index.py -app -name -et -7d@d -lt @d -dedup true -nolocal true -auth admin: