Deployment Architecture

What happens to a summary index search during a server restart?

sc0tt
Builder

Will summary index searches be queued up for a certain amount of time or will the searches simply be skipped and a backfill script will need to be run to fill in any gaps?

Tags (3)
0 Karma
1 Solution

gfuente
Motivator

Hello

It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.

Regards

View solution in original post

gfuente
Motivator

Hello

It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.

Regards

View solution in original post

sc0tt
Builder

Makes sense. Thanks. I was hopping that searches would be queued up for a short period of time to avoid having to worry about restarts. The search only takes a few seconds so hopefully this won't be an issue.

0 Karma

gfuente
Motivator

If the restart tooks more than 1 minute, then that execution will be skkiped, and you would need to run a command to backfill that missing execution

If the restart take place between executions, then the summary index won't be affected.

Regards

0 Karma

sc0tt
Builder

It's a search that is scheduled every 5 minutes to populate a 5 minute summary index. The start time is -6m@m and finish is -1m@m with a cron schedule of 1,6,11,16,21,26,31,36,41,46,51,56 * * * *. If I understand you correctly, if the Splunk server is restarted at 14:30 and the next scheduled search is set to run at 14:31 then it would be skipped?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!