Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is backfilled summary index data not showing?

manderson7
Contributor
‎01-30-2017 05:38 AM

I run the following search on the search head and receive results that I expect:

index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name"

and when I run the following command, I see the searches running in the command line:

./splunk cmd python fill_summary_index.py -name "test_modulo_ss_manderso" -et @month -lt @w -owner e16247 -auth user:pw
Please enter the app that contains the search(es): search

*** For saved search 'test_modulo_ss_manderso' ***

*** Spawning a total of 503 searches (max 1 concurrent) ***

Executing test_modulo_ss_manderso for UTC = 1483250400 (Sun Jan  1 01:00:00 2017)
  waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1483250400_99026'
  ... Finished

...
Executing test_modulo_ss_manderso for UTC = 1485057600 (Sat Jan 21 23:00:00 2017)
  waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1485057600_99868'
  ... Finished

but I don't see the search name in the summary or metrics_summary index.

index=metrics_summary search_name=* host=searchhead| dedup search_name | table search_name

What am I doing wrong here? Thanks for any help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-30-2017 06:22 AM

I believe you need to add |collect index=metrics_summary to your saved search name, or save the search with the "enable summary index" option (as image below).

  index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name" | collect index=metrics_summary

alt text

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

johnjj7141
Explorer
‎01-31-2017 05:57 AM

I am encountering the same problem after upgrading from 6.3.3 --> 6.5.1

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-30-2017 06:22 AM

I believe you need to add |collect index=metrics_summary to your saved search name, or save the search with the "enable summary index" option (as image below).

  index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name" | collect index=metrics_summary

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

manderson7
Contributor
‎02-01-2017 05:42 AM

Turns out I needed to add
| sitimechart dc(Coordinator)
to the search in order to complete the summary index search requirements. Once I did that, I could backfill the data with Summary indexing enabled. Thanks for the help.

Reply
Solved! Jump to solution

manderson7
Contributor
‎01-30-2017 10:12 AM

Neither of those seemed to work, unfortunately. I first tried enabling the summary indexing in the search by checking enable, ran the python command string, and nothing showed up in the summary or metrics_summary index. Then I unchecked the summary indexing box and added the |collect index=metrics_summary string to the search, and ran the python command again. Still, nothing shows in metrics_summary.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-30-2017 10:41 AM

is it going to the index=summary instead?

0 Karma
Reply
Solved! Jump to solution

manderson7
Contributor
‎01-30-2017 10:44 AM

Nope, checked that as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...