- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Is search user ownership affecting if events are s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have the following Saved Search configured to run daily on a cron schedule, the scheduled job appears to be running on time as expected but the search doesn't save any events to the Summary Index.
Saved Search:
index=index host=hosts sourcetype=sourcetype source=somelogfile.log
| addinfo
| eval _time = info_max_time
| rename xheaders.X-NOTIFICATION-TYPE to "Notification Type"
| sistats count by "Notification Type", reportField
| sort - psrsvd_gc
| collect spool=t uselb=t addtime=f index="summary" name="name" marker="report="name"
If I take out the collect clause and change sistats to stats, the query does return results. I know my account has permissions to write to the summary index.
In the same environment I do have one job running and saving to the summary index as expected, the only difference I can see is that the working one has "nobody" as the owner and the ones that are not functional have my username as the owner.
Also, something that is strange is that the same configuration works in our Pre-Production environment. The only real difference is that in Production our Splunk Administrators use the Deployer role to push the Saved Search configuration.
Has anybody else ran into this type of issue? Or know what I may have miss configured?
Regards,
Cory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case anybody else runs into this issue, the root cause of the problem for me was the timing for when the data was landed in the main index - all the summary indexing scheduling and configuration was working as expected, but the search that was to aggregate values for summary index was not yet in the index, hence 0 results. Simply changing the timing of the s/i schedule helped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cory, interesting thing. For all our summary indexes, we don't use the collect command, but use the Summary indexing part of the UI. We do use the collect command for the original filling of the index...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case anybody else runs into this issue, the root cause of the problem for me was the timing for when the data was landed in the main index - all the summary indexing scheduling and configuration was working as expected, but the search that was to aggregate values for summary index was not yet in the index, hence 0 results. Simply changing the timing of the s/i schedule helped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did note one other small delta between the two saved searches that are functional and the new ones that aren't.
The difference was that the functional ones use summaryindex whereas the non-functional ones used collect. I did change all the non-functional ones to use summaryindex and there was no positive changes to the outcome.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
