Solved: What happens to a summary index search during a se...

sc0tt · ‎09-30-2013

Will summary index searches be queued up for a certain amount of time or will the searches simply be skipped and a backfill script will need to be run to fill in any gaps?

gfuente · ‎09-30-2013

Hello

It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.

Regards

View solution in original post

gfuente · ‎09-30-2013

Hello

It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.

Regards

sc0tt · ‎09-30-2013

Makes sense. Thanks. I was hopping that searches would be queued up for a short period of time to avoid having to worry about restarts. The search only takes a few seconds so hopefully this won't be an issue.

gfuente · ‎09-30-2013

If the restart tooks more than 1 minute, then that execution will be skkiped, and you would need to run a command to backfill that missing execution

If the restart take place between executions, then the summary index won't be affected.

Regards

sc0tt · ‎09-30-2013

It's a search that is scheduled every 5 minutes to populate a 5 minute summary index. The start time is -6m@m and finish is -1m@m with a cron schedule of 1,6,11,16,21,26,31,36,41,46,51,56 * * * *. If I understand you correctly, if the Splunk server is restarted at 14:30 and the next scheduled search is set to run at 14:31 then it would be skipped?

What happens to a summary index search during a server restart?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2