Why am I unable to write to a new index
I have created a new index through the UI, by going to:
Settings > Data > Indexes > New Index
Filling out the name and then essentially leaving everything else as default.
I then wrote a scheduled search to write to this index. The search produces results when I run it in the search bar, and also works when I set it to write to other previously existing indexes. It only doesn't work when I try to write to a newly created index (I have tried with a few).
Is there a step I need to do to allow data to be written into a new index? What am I missing here?
Thanks,
Sam
By checking that you distributed the relevant indexes.conf to all indexers.
Okay thanks I shall go and check this.
Are you in a distributed environment? If so, make sure you create the index on all indexers.
How would I ensure the index is on all indexers?
HI,
can you post your search?
Hi,
It looks like this:
index=iis a_app=<app> a_action=<action>
| eventstats count min(time_taken) as min_tt max(time_taken) as max_tt avg(time_taken) as a_tt perc90(time_taken) as p_tt by a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| sistats max(_time) max(count) max(a_tt) max(p_tt) max(min_tt) max(max_tt) by a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| fields + psrsvd_nx__time psrsvd_nx_a_tt psrsvd_nx_count psrsvd_nx_min_tt psrsvd_nx_max_tt psrsvd_nx_p_tt a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| rename psrsvd_nx_a_tt AS "AverageTimeTaken"
| rename psrsvd_nx_count AS "CountOfEvents"
| rename psrsvd_nx_max_tt AS "MaxTimeTaken"
| rename psrsvd_nx_p_tt AS "90thPercentileTimeTaken"
| rename psrsvd_nx_min_tt AS "MinTimeTaken"
However, I have also tried just doing a simple one, like this:
index=iis a_app=<app> a_action=<action>
| fields + a_customer a_customer_code sc_status c_ip cs_host sc_bytes a_version _time time_taken date_month date_mday date_hour
ok so I don´t get what you mean by "writing to an index" despide a summary index, you are not writing to an index by executing a search.
What is the error that is displayed when you run this search? what is your expected result?
Essentially I am trying to do what I would do to a summary index but on a fresh one, is it not the same principle? Where I enable summary indexing in the search and then select and index?
There is no error, the search runs as normal (even gives results) but does not write anything to the index I request.
Did you configure summary indexing on this index?
reffer to http://docs.splunk.com/Documentation/Splunk/7.2.1/Knowledge/Configuresummaryindexes