Summary reports not updating

a212830 · ‎11-03-2017

Hi,

I have some dashboard which use summary reports. We had some problems recently, and a number of the reports came back with zero events, and that is appearing in the dashboard. The job is scheduled to run everynight at midnight. My assumption was that the data would fill-in the next day, but that's not happening. How can I get this summary report data to update?

somesoni2 · ‎11-03-2017

Check the scheduler logs (index=_internal sourcetype=scheduler savedsearch_name=YourSummaryIndexSearchNameHere) to see if they are running OR not. If for some reason they didn't run (but running now), you would've to backfill it for those missing days. See these
https://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Managesummaryindexgapsandoverlaps
https://wiki.splunk.com/Community:Summary_Indexing_Back_Fill

somesoni2 · ‎11-03-2017

Check the scheduler logs (index=_internal sourcetype=scheduler savedsearch_name=YourSummaryIndexSearchNameHere) to see if they are running OR not. If for some reason they didn't run (but running now), you would've to backfill it for those missing days. See these
https://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Managesummaryindexgapsandoverlaps
https://wiki.splunk.com/Community:Summary_Indexing_Back_Fill

sloshburch · ‎11-07-2017

Bingo. Summary Indexing has no dedicated UI. It's just captured results of a scheduled search so unfortunately you'll have to do some debugging into the search that generates the data to understand what's up.

Summary reports not updating

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2