We are on 6.3.3, I have a search that returns results when I run it, I have it scheduled to run and it shows that it successfully runs, however the data is not getting put in to the summary index.
The Search
index=##someindex## sourcetype=##sometype## virus definitions | dedup Host_Name | eval definitiontime=substr(client_sequence,0,6) + "000000" | eval newdefdate=strptime(definitiontime,"%y%m%d%H%M")
| eval daysOld = floor((now() - newdefdate )/86400)
| eval DefinitionStatus = case(daysOld = 0, "Current",daysOld = 1, "1 Day Old", daysOld <= 7, "2 to 7 Days Old",daysOld <= 14, "8 to 14 Days Old", daysOld <= 30, "15 to 30 Days Old", daysOld > 30, "Over 30 Days")
| bucket _time span=1d
| eval _time=now()
| sistats count by DefinitionStatus
Job Inspector for Scheduled Search
This search has completed and has returned 6 results by scanning 104,841 events in 8.937 seconds.
It is an instance of the saved search: Summary - Security.
The following messages were returned by the search subsystem:
INFO: Successfully wrote file to '/opt/splunk/var/spool/splunk/##blahblah##.stash_new'.
... View more