I'm having a bit of trouble trying to backfill a couple days in my summary index from a query using the collect command. Although events are returned from the query, and placed in the summary index, but for some reason splunk isn't recognizing any of the fields that are already applied to that source_type (even though when you summary index data, it's saved as a sourcetype of stash ). If I populate the summary index from a saved search, everything is fine, it's just not when I execute a search (from the search app, for instance), and use collect to save the data to it.
Here's an example of the same query, trying to backfill data from my _raw index for October 1st-2nd:
index="cdn_download_logs" resource_relative_uri="*.exe" OR resource_relative_uri="*.msi" OR resource_relative_uri="*.dmg"
earliest=10/01/2012:00:00:00 latest=10/02/2012:00:00:00
| eval lastFileByte=filesize-1
| eval endByteInt=if(endByte>0,toNumber(endByte,10), lastFileByte)
| eval startByteInt=if(startByte>0, toNumber(startByte,10), 0)
| eval leftToSend=((endByteInt-startByteInt)-sc_bytes)
| eval downloadStatus=if(endByteInt=lastFileByte AND leftToSend<=0 ,"SUCCESS", "FAILURE")
| search downloadStatus="SUCCESS"
| collect index="summary_download_success_events"
Is there a subtle nuance that I'm missing that is causing my field extractions to not get applied? The weirdest part is data that is returned from a saved search and added to a summary index works perfectly. I'm not sure if the eval arguments in my example query above are causing some unwanted behavior (although, this is the exact same query I have running in the scheduled search that works).
I also know there's a python script somewhere in the Splunk directory that is written to assist in backfilling summary index data. Is this a better option? If so, why is it a better option?
Any help/feedback is much appreciated.
... View more