What is the earliest and latest for running a back...

Dark_Ichigo · ‎05-30-2012

I want to run a backfill script to create a summary index, I want to do this in realtime!

I have tried using the rt but it doesnt seem to work as I have seen other questions about this only working under times.conf.

How can I run a backfill script in realtime, I would Like an example and not just what I need to put in the limits.conf

Thanks

daskuntal · ‎08-17-2012

Yes, you already answered your question. I believe what you are trying to do is exactly what a Summary Indexed search is supposed to do. Perform a scheduled search to populate the summary index. The problem with taht is, you will only start fillign up the index from the moment you created & started the running the Search.

What backfill script does is goes back in time & pre-fills the Summary Index with data from whoever many months you want to go back to.

Hope that clarifies your question.

gkanapathy · ‎05-30-2012

It's not possible to create a summary index in real time.

Dark_Ichigo · ‎05-30-2012

I want to run a backfill script to populate my summary index, the backfill script runs everyday via a cron job.

Can this be done without a backfill script and just a scheduled saved search with summary indexing enabled?

gkanapathy · ‎05-30-2012

I don't think I understand what you mean by backfill, or what you expect backfill is supposed to do.

Dark_Ichigo · ‎05-30-2012

Then whats the point of running a Backfill if you can just schedule a saved to populate a summary index?

Whats the closest to running a summary index in realtime?

What is the earliest and latest for running a backfill script in realtime?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor