https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87192#M892 <P>We are trying to use the fill_summary_index.py script to backfill times when the data isn't populated. I am finding that the -dedup t option does not work and I am getting duplicate data in my summary index. </P> <P>My command: ./splunk cmd python fill_summary_index.py -app ecomm_splunk_administration -dedup t -name sumidx_webserver_count_1minute -et -11m@m -lt -4m@m -owner summaryadmin -index webserver_summary_fivemin -auth nbkgild:mypassword</P> <P>When I look at the output, I see the following:<BR /> *** For saved search 'sumidx_webserver_count_1minute' ***<BR /> Executing search to find existing data: 'search splunk_server=local index=webserver_summary_fivemin source="sumidx_webserver_count_1minute" | stats count by search_now'<BR /> waiting for job sid = '1358203822.191' ... finished<BR /> All scheduled times will be executed.</P> <P>*** Spawning a total of 6 searches (max 1 concurrent) ***</P> <P>The issue I see, is the search splunk_server=local. My splunk environment is a distributed server environment and therefore, my summary index is not on the local search head. How can I stop it from searching only the local server? and instead use the servers in the distributedsearch.conf file?</P> <P>Thanks,<BR /> Sarah</P> Mon, 28 Sep 2020 13:06:32 GMT SarahBOA 2020-09-28T13:06:32Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87192#M892 <P>We are trying to use the fill_summary_index.py script to backfill times when the data isn't populated. I am finding that the -dedup t option does not work and I am getting duplicate data in my summary index. </P> <P>My command: ./splunk cmd python fill_summary_index.py -app ecomm_splunk_administration -dedup t -name sumidx_webserver_count_1minute -et -11m@m -lt -4m@m -owner summaryadmin -index webserver_summary_fivemin -auth nbkgild:mypassword</P> <P>When I look at the output, I see the following:<BR /> *** For saved search 'sumidx_webserver_count_1minute' ***<BR /> Executing search to find existing data: 'search splunk_server=local index=webserver_summary_fivemin source="sumidx_webserver_count_1minute" | stats count by search_now'<BR /> waiting for job sid = '1358203822.191' ... finished<BR /> All scheduled times will be executed.</P> <P>*** Spawning a total of 6 searches (max 1 concurrent) ***</P> <P>The issue I see, is the search splunk_server=local. My splunk environment is a distributed server environment and therefore, my summary index is not on the local search head. How can I stop it from searching only the local server? and instead use the servers in the distributedsearch.conf file?</P> <P>Thanks,<BR /> Sarah</P> Mon, 28 Sep 2020 13:06:32 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87192#M892 SarahBOA 2020-09-28T13:06:32Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87193#M893 <P>To solve the issue, I editted the fill_smmary_index.py file and removed the splunk_server=local from the dedup_search variable. That seems to have solved it and I am no longer getting duplicate records put into my index.</P> Mon, 28 Sep 2020 13:08:07 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87193#M893 SarahBOA 2020-09-28T13:08:07Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87194#M894 <P>If you are using a SH to run the backfill script and your summary indexed data resides on indexers, you will want to use an undocumented (in the help file) option called -nolocal .</P> <PRE><CODE>./splunk cmd python fill_summary_index.py -dedup true -nolocal true </CODE></PRE> <P>This tells Splunk to go to the indexers to find the data for deduplication.</P> Thu, 11 Sep 2014 20:52:04 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87194#M894 the_wolverine 2014-09-11T20:52:04Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87195#M895 <P>option -nolocal true is taking lot to time to execute and its degrading the splunk performance on the server. is there any better way to achieve this. thanks</P> Tue, 15 Dec 2015 10:33:34 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87195#M895 rakesh_498115 2015-12-15T10:33:34Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87196#M896 <P>you mean this line from fill_summary_index.py , correct? dedupsearch = 'search splunk_server=local index=$index$ $namefield$="$name$" | stats count by $timefield$'</P> Tue, 29 Sep 2020 09:45:48 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87196#M896 wsnyder2 2020-09-29T09:45:48Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87197#M897 <P>Is there any way to "clean" an existing summary index that contains duplicates? </P> Wed, 25 May 2016 20:47:26 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87197#M897 wsnyder2 2016-05-25T20:47:26Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87198#M898 <P>Me too... I tried this option "-no local true" .... and it did not do anything, after waiting hours. </P> Wed, 25 May 2016 20:48:34 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87198#M898 wsnyder2 2016-05-25T20:48:34Z https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87199#M899 <P>delete the whole range and then rerun the backfill is probably best unless you can create a custom script that finds all duplicate entries and cleans them. Might be easiest just to delete for the range (can do this by piping a search to the delete command) and rebuild</P> Thu, 02 Feb 2017 18:42:55 GMT https://community.splunk.com/t5/Knowledge-Management/fill-summary-index-dedup-issue/m-p/87199#M899 briancronrath 2017-02-02T18:42:55Z