backfill summary index one day at a time

michaelrosello · ‎06-29-2018

I'm trying to back fill my summary index one day at a time because my current savesearch contains a lot of regular expressions and can only run 24 hours of data for it not to be truncated.

For example my data if from 01/01/2018 up to present.

So what I want is when i execute the script it will run for 01/01/2018 data. then after it finishes then will run again for 01/02/2018 data until I reach the date yesterday.

hallt2 · ‎10-22-2018

You can use the Python API to do so pretty easily. You just have the search with the collect or summaryindex command and use a loop to iterate. http://dev.splunk.com/python

woodcock · ‎06-29-2018

Your question makes no sense. Create a different populating search that will run every day for Last 24 hours and then run the backfill script over as many days as you like. It will run 1 day at a time, over and over.

michaelrosello · ‎07-01-2018

What Im trying to do is. put in summary index my data of 01/01/2018 upto 06/30/2018 in one execution. I want to backfill them all in one day.

woodcock · ‎07-01-2018

And that is exactly what I told you how to do. Create a SI-populating search that covers Last 24 hours or Yesterday and the do backfill as described here, with the python script:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps

backfill summary index one day at a time

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM