Reporting

Why are scheduled searches not working in our newly created index?

samwatson45
Path Finder

Why am I unable to write to a new index

I have created a new index through the UI, by going to:

Settings > Data > Indexes > New Index

Filling out the name and then essentially leaving everything else as default.

I then wrote a scheduled search to write to this index. The search produces results when I run it in the search bar, and also works when I set it to write to other previously existing indexes. It only doesn't work when I try to write to a newly created index (I have tried with a few).

Is there a step I need to do to allow data to be written into a new index? What am I missing here?

Thanks,

Sam

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

By checking that you distributed the relevant indexes.conf to all indexers.

0 Karma

samwatson45
Path Finder

Okay thanks I shall go and check this.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you in a distributed environment? If so, make sure you create the index on all indexers.

0 Karma

samwatson45
Path Finder

How would I ensure the index is on all indexers?

0 Karma

dkeck
Influencer

HI,

can you post your search?

0 Karma

samwatson45
Path Finder

Hi,

It looks like this:

index=iis a_app=<app> a_action=<action>
| eventstats count min(time_taken) as min_tt max(time_taken) as max_tt avg(time_taken) as a_tt perc90(time_taken) as p_tt by a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| sistats max(_time) max(count) max(a_tt)  max(p_tt) max(min_tt) max(max_tt) by a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| fields + psrsvd_nx__time   psrsvd_nx_a_tt psrsvd_nx_count psrsvd_nx_min_tt psrsvd_nx_max_tt psrsvd_nx_p_tt a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| rename psrsvd_nx_a_tt AS "AverageTimeTaken" 
| rename psrsvd_nx_count AS "CountOfEvents" 
| rename psrsvd_nx_max_tt AS "MaxTimeTaken" 
| rename psrsvd_nx_p_tt AS "90thPercentileTimeTaken"
| rename psrsvd_nx_min_tt AS "MinTimeTaken" 
0 Karma

samwatson45
Path Finder

However, I have also tried just doing a simple one, like this:

index=iis a_app=<app> a_action=<action>
| fields +  a_customer a_customer_code  sc_status c_ip cs_host sc_bytes a_version _time time_taken date_month date_mday date_hour
0 Karma

dkeck
Influencer

ok so I don´t get what you mean by "writing to an index" despide a summary index, you are not writing to an index by executing a search.

What is the error that is displayed when you run this search? what is your expected result?

0 Karma

samwatson45
Path Finder

Essentially I am trying to do what I would do to a summary index but on a fresh one, is it not the same principle? Where I enable summary indexing in the search and then select and index?

There is no error, the search runs as normal (even gives results) but does not write anything to the index I request.

0 Karma

dkeck
Influencer

Did you configure summary indexing on this index?

reffer to http://docs.splunk.com/Documentation/Splunk/7.2.1/Knowledge/Configuresummaryindexes

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...