topic fill_summary_index.py error backfilling 5-minute CPU utilization summary index in Knowledge Management

fill_summary_index.py error backfilling 5-minute CPU utilization summary index

ww9rivers — Tue, 09 Oct 2012 20:31:10 GMT

Here is the search (name = CPU-Summery-WMI):

sourcetype="WMI:CPUTime" earliest=-5m@m  | stats avg(PercentProcessorTime) AS proc avg(PercentUserTime) AS user by host

It is scheduled to run every 5 minutes starting at 00-minute to the hour.

To back fill the index summary, I try to run this command line:

./splunk cmd python fill_summary_index.py -app search -name "CPU-Summary-WMI" -owner *mememe* -j 8 -et '08/01/2012:00:00:00' -lt '10/04/2012:21:20:00' -dedup true -auth admin:*changeme*

With that, I get the error shown below every time:

*** For saved search 'CPU-Summary-WMI' ***
Failed to get list of scheduled times for saved search 'CPU-Summary-WMI' (app = 'search', error = '[HTTP 400] Bad Request; [{'text': "In handler 'savedsearch': Cannot parse time argument 'earliest_time': '08/01/2012:00:00:00'", 'code': None, 'type': 'ERROR'}]'

No searches to run

Searching for the error, the results I find seem to say that the problem may be caused by the "earliest=-5m@m" part in the search, which conflicts with the "-et" option on the command line.

But both are needed for what I want to do.

Any suggestion to how I may resolve this?

Re: fill_summary_index.py error backfilling 5-minute CPU utilization summary index

alacercogitatus — Wed, 10 Oct 2012 00:27:39 GMT

According to the docs, -et must be a relative time string or an epoch time. So try this

-et -60d@d -lt now
http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Managesummaryindexgapsandoverlaps

Re: fill_summary_index.py error backfilling 5-minute CPU utilization summary index

Lucas_K — Wed, 10 Oct 2012 00:30:06 GMT

You need to remove that earliest command from your search and put it into the scheduled search parameters. The savedsearches parameters are how you control the window of time that the search operates inside of.

ie. something like this in your savedsearches.conf

[CPU-Summary-WMI]
action.email.inline = 0
action.summary_index = 1
action.summary_index._name = cpu_summary
alert.digest_mode = True
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
disabled = 0
alert.suppress = 0
alert.track = 0
cron_schedule = */5 * * * *
enableSched = 1
realtime_schedule = 0
search = `CPU-Summary-WMI`

This way when your search runs it will spawn 12 searches per hour but the time provided to the search will be back 5 minutes into the past. The "now" time will be relative to the time provided by the backfill script.

Then re-run the backfill script with something like "-e 1343779200 -l 1349385600"

I use similar searches to populate summary indexes for data that arrived just under 2 days late.

Re: fill_summary_index.py error backfilling 5-minute CPU utilization summary index

dglinder — Mon, 28 Sep 2020 17:02:44 GMT

Since the "-et" and "-lt" fields need either a relative time ("-6d@d" or "-y"), or a Unix Epoc time ("Fri Jul 11 10:00:56 EDT 2014" == 1405087256), but I've found that I need to have the fill_summary_index.py script start and stop at specific times (i.e. "-et June 22, 2014 22:00:00").

I could convert those times to epoc, then run the command on the command line, but I'm lazy and that's prone to error. I use the Unix "date" command like this (in KSH):

/splunk cmd python fill_summary_index.py ... -et $(date -d "June 22 2014 22:00" +%s) ...

At 3AM this helps me avoid one more possible typo...