Knowledge Management

Is there anything wrong with my saved Search?

Dark_Ichigo
Builder

I have identified a saved search located in savedsearches.conf, the main search in macros.conf works fine and outputs data, but for some reason this is nor being populated within the Summary Index specified:

[Stanza_Name]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = SummaryIndex
alert.severity = 2
alert.suppress = 1
alert.suppress.period = 1h
alert.track = 1
# run hourly
cron_schedule = 5 * * * *
description = <description_here>
dispatch.earliest_time = -1h@h
dispatch.latest_time = now
enableSched = 1
realtime_schedule = 0
search = `Search_Query`

All the other saved searches work fine and are populating the summary index specified and at the right Cron time, Like I said before I have tested the actual search and I can see results, what could be the issue?

Quick Update:

I searched for the Jobs running in the background for all of the saved searches and found that the specific search that was not populating the summary index was in face running every 5min, so I click on the link for the actual search running and got this:

`Search_Query` | summaryindex spool=t uselb=t addtime=t index="SummaryIndex" file="Search_Query_136539995.stash_new" name="Stanza_Name" marker=""

But the Time Range picker was set at a certain time to not collect data older than 5pm for today, which is what I expect as I am running the search every 5m to populate the summary index.

So I switched it to "All Time" and got some results and to my surprise the whole summary index was populated?, Whats going on?

0 Karma

RohiniJindam
Path Finder

Run this search(Search_Query) in the flashtimeline(in your app). In the timerange picker,select custom time range. In that specify the earliest and latest time values as those specified in your saved search. If that does not give you results, it means the data required by your search is not present in the specified time range. Either add data and try again or else change the time range.

0 Karma

Dark_Ichigo
Builder

I have been using Splunk for 3 Years now, that is obviously one of the first things I tried, I do get results, but the Summary Index isn't being populated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...