Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is there no data in my summary index?

xsstest
Communicator
‎04-20-2017 12:01 AM

I built a splunk cluster. I created a lot of alerts on the main search server, some alerts I enabled the summary index, select the summary index for the "alerts", after a long period of time, my index "alerts" no data, why? Is there a problem with my configuration?

alt text

alt text

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xsstest
Communicator
‎05-04-2017 07:15 PM

answser:

In a cluster, if you need to create a summary index, it should not be created on the indexer cluster. You should create a summary index on the search head. Because the results of the search will not be written to the indexer cluster, will only write the summary index in the search header, and finally you need to configure the search header to forward the summary index to your index cluster.

中文:在集群中,如果你需要创建摘要索引,不应该在索引集群上创建。你应该在搜索头上创建摘要索引。因为搜索头产生的结果不会写入索引集群,只会写入搜索头中的摘要索引,最后你需要配置搜索头将摘要索引转发到你的索引集群里。

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xsstest
Communicator
‎05-04-2017 07:15 PM

answser:

In a cluster, if you need to create a summary index, it should not be created on the indexer cluster. You should create a summary index on the search head. Because the results of the search will not be written to the indexer cluster, will only write the summary index in the search header, and finally you need to configure the search header to forward the summary index to your index cluster.

中文:在集群中,如果你需要创建摘要索引,不应该在索引集群上创建。你应该在搜索头上创建摘要索引。因为搜索头产生的结果不会写入索引集群,只会写入搜索头中的摘要索引,最后你需要配置搜索头将摘要索引转发到你的索引集群里。

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-20-2017 12:15 AM

What was the search? Unless something was actually output to the summary index, it will be empty.

You must use commands like sistats, sichart, sitimechart, collect to put data into the summary index.
You might want to review the documentation on summary indexing here.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-20-2017 12:49 AM

I create an "alerts" index, and then in some of the alert to enabled the summary index to "alerts". This two-step setup is done. Is there a problem with this

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...