stash_new file is not written to summary index

aluetjen · ‎10-27-2012

I created a summary index summary_example.

Using the 'collect' command I wrote events into a stash_new file.

SomeSearch | sitimechart span=1h max(SomeMetric) by Name | collect index=summary_example

I receive a message that the file has been successfully written:

Changing file extension to .stash_new for file=$random$_events.stash

Successfully wrote file to '106082206_events.stash_new'.

However, the search result does not appear in the index.

I searched index=_internal "106082206_events.stash_new" but didn't receive any events (other than the events to the search on the internal index itself).

How can I trouble shoot?

aluetjen · ‎10-27-2012

Restart of splunk solved the issue.

I searched the internal internal index for the summary index name and noticed that splunk wasn't happy to load the new index.

pacrip · ‎04-19-2016

Hi all, Im seeing similar behaviour to this in my 6.3 instance, is it meant to act like this? Its not ideal to have to repair the bucket every time you add new summary indexed events...

ahofmann · ‎03-16-2018

Did you ever find out any more info on this? I'm having the same issue, solved by a restart.

stash_new file is not written to summary index

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...