Hi,
I have a scheduled search where summary indexing is enabled
I also have a summary index created.
The output of the scheduled search is not send to summary index.
summar index = "test_summary"
Scheduled search name - test_summary_report
summary indexing is enabled
Cron schedule is set to run every minute.
What would be the issue?
@manjunathmeti you can see the query has run and we are getting the results, and the results from the query is sent to the index, but when i search the index=test_summary, no results are seen.
hi @VijaySrrie,
1. Check the time period for the scheduled search test_summary_report and see if the search produces any results in that time period. You can check the event count for the scheduled search on the Activity >> Jobs page.
2. If you are getting results in the time period then use the collect command to push the search results to the summary index.
saved_search_query | collect index=test_summary sourcetype=test
If this reply helps you, an upvote/like would be appreciated.
@manjunathmeti when I opened the scheduled search I could see the results
Scheduled search Query - | inputlookup lookup.csv
I tried the below query
saved_search_query | collect index=test_summary sourcetype=test
| inputlookup lookup.csv | collect index=test_summary (This is not working) --> When I searched the index=test_summary (Time range: All time) - I was not getting any results
Check if the user has access to index test_summary.
@manjunathmeti I am the user who created the Index, I have admin access
Try summarizing in another index:
| inputlookup noc | summaryindex index=main sourcetype=test