Archive
Highlighted

fill_summary_index.py not working

Engager

I'm running the command below:
sudo -u splunk /opt/splunk/bin/splunk cmd python /opt/splunk/bin/fillsummaryindex.py -app search -name eligible -et -y -lt now -j 2 -owner admin -auth admin:password

I get the following back:
*** For saved search 'eligible' ***
No handlers could be found for logger "splunk.rest.format"
No scheduled times for your time range.

No searches to run

I'm not sure what the response back means exactly.
'eligible' is a scheduled search and I'm trying to run that same search but using it to backfill the summary index.

0 Karma
Highlighted

Re: fill_summary_index.py not working

SplunkTrust
SplunkTrust

Is the scheduling enabled for the search? What is the time range you're using and what is the cron schedule for the search?

0 Karma
Highlighted

Re: fill_summary_index.py not working

Engager

scheduling is enabled for the search. should I disable that?
I'm using Basic and running every minute. My search range is -7mon@mon and -7mon@mon+1h.
But there is data before that I need to backfill.

0 Karma
Highlighted

Re: fill_summary_index.py not working

Legend

Are you running the search on a search head, but the summary index resides on indexers? You might need the -nolocal option.

But I really suspect that you need to include the -owner option, or perhaps change the permissions on the scheduled search eligible

More info on the options: Manage summary index gaps and overlaps

0 Karma