Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

fill_summary_index.py error backfilling 5-minute CPU utilization summary index

ww9rivers
Communicator
‎10-09-2012 01:31 PM

Here is the search (name = CPU-Summery-WMI):

sourcetype="WMI:CPUTime" earliest=-5m@m  | stats avg(PercentProcessorTime) AS proc avg(PercentUserTime) AS user by host

It is scheduled to run every 5 minutes starting at 00-minute to the hour.

To back fill the index summary, I try to run this command line:

./splunk cmd python fill_summary_index.py -app search -name "CPU-Summary-WMI" -owner *mememe* -j 8 -et '08/01/2012:00:00:00' -lt '10/04/2012:21:20:00' -dedup true -auth admin:*changeme*

With that, I get the error shown below every time:

*** For saved search 'CPU-Summary-WMI' ***
Failed to get list of scheduled times for saved search 'CPU-Summary-WMI' (app = 'search', error = '[HTTP 400] Bad Request; [{'text': "In handler 'savedsearch': Cannot parse time argument 'earliest_time': '08/01/2012:00:00:00'", 'code': None, 'type': 'ERROR'}]'

No searches to run

Searching for the error, the results I find seem to say that the problem may be caused by the "earliest=-5m@m" part in the search, which conflicts with the "-et" option on the command line.

But both are needed for what I want to do.

Any suggestion to how I may resolve this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎10-09-2012 05:30 PM

You need to remove that earliest command from your search and put it into the scheduled search parameters. The savedsearches parameters are how you control the window of time that the search operates inside of.

ie. something like this in your savedsearches.conf

[CPU-Summary-WMI]
action.email.inline = 0
action.summary_index = 1
action.summary_index._name = cpu_summary
alert.digest_mode = True
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
disabled = 0
alert.suppress = 0
alert.track = 0
cron_schedule = */5 * * * *
enableSched = 1
realtime_schedule = 0
search = `CPU-Summary-WMI`

This way when your search runs it will spawn 12 searches per hour but the time provided to the search will be back 5 minutes into the past. The "now" time will be relative to the time provided by the backfill script.

Then re-run the backfill script with something like "-e 1343779200 -l 1349385600"

I use similar searches to populate summary indexes for data that arrived just under 2 days late.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎10-09-2012 05:30 PM

You need to remove that earliest command from your search and put it into the scheduled search parameters. The savedsearches parameters are how you control the window of time that the search operates inside of.

ie. something like this in your savedsearches.conf

[CPU-Summary-WMI]
action.email.inline = 0
action.summary_index = 1
action.summary_index._name = cpu_summary
alert.digest_mode = True
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
disabled = 0
alert.suppress = 0
alert.track = 0
cron_schedule = */5 * * * *
enableSched = 1
realtime_schedule = 0
search = `CPU-Summary-WMI`

This way when your search runs it will spawn 12 searches per hour but the time provided to the search will be back 5 minutes into the past. The "now" time will be relative to the time provided by the backfill script.

Then re-run the backfill script with something like "-e 1343779200 -l 1349385600"

I use similar searches to populate summary indexes for data that arrived just under 2 days late.

Reply
Solved! Jump to solution

dglinder
Path Finder
‎07-11-2014 07:01 AM

Since the "-et" and "-lt" fields need either a relative time ("-6d@d" or "-y"), or a Unix Epoc time ("Fri Jul 11 10:00:56 EDT 2014" == 1405087256), but I've found that I need to have the fill_summary_index.py script start and stop at specific times (i.e. "-et June 22, 2014 22:00:00").

I could convert those times to epoc, then run the command on the command line, but I'm lazy and that's prone to error. I use the Unix "date" command like this (in KSH):

/splunk cmd python fill_summary_index.py ... -et $(date -d "June 22 2014 22:00" +%s) ...

At 3AM this helps me avoid one more possible typo...

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-09-2012 05:27 PM

According to the docs, -et must be a relative time string or an epoch time. So try this

-et -60d@d -lt now
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesummaryindexgapsandoverlaps
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...