We have weird behavior, in the Data Summary Screen on the Search Head, we see a Host reporting events, when clic on the host searching for the details, the Search Head shows 0 results
This is happening only with 1 host, other hosts from the same index and same sourcetype didn't present the same issue.
I am experiencing the same issue as the original post, however, I have been issuing the delete command to remove test data, etc. When I issue the delete command it confirms that the correct number of events have been deleted, yet days later the Data Summary still shows event counts for hosts which no longer have associated events indexed. Please advise.
The data summary is not updated by the delete command.
And so how does one update the Data Summary after using the delete command? The documentation glosses over this point.
You don't. It updates itself when the bucket ages out.
What's the logic behind having this discrepancy? I don't administer the application so I don't yet know what the retention period is, but, why would someone want the Data Summary to continue to show results for data which is no longer present for the next X days/weeks/months?
metadata command uses data that doesn't get updated when events are marked for deletion. Deleting events isn't intended to happen at all in Splunk, so it's not that big of a deal.
metadata has many more shortcomings, for example it doesn't honour time ranges accurately but rather has an all-or-nothing-per-bucket approach giving you seriously inaccurate data even without the delete command.
If you want accurate summaries, use
Okay... made sure the search runs over a sufficiently large time range?