Deployment Architecture

What happens to a summary index search during a server restart?

Builder

Will summary index searches be queued up for a certain amount of time or will the searches simply be skipped and a backfill script will need to be run to fill in any gaps?

Tags (3)
0 Karma
1 Solution

Motivator

Hello

It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.

Regards

View solution in original post

Motivator

Hello

It depends on the search schedule, but if the restart or down time took place during the schedule of the search, then that execution will be skkiped and then you will need to backfill those results.

Regards

View solution in original post

Builder

Makes sense. Thanks. I was hopping that searches would be queued up for a short period of time to avoid having to worry about restarts. The search only takes a few seconds so hopefully this won't be an issue.

0 Karma

Motivator

If the restart tooks more than 1 minute, then that execution will be skkiped, and you would need to run a command to backfill that missing execution

If the restart take place between executions, then the summary index won't be affected.

Regards

0 Karma

Builder

It's a search that is scheduled every 5 minutes to populate a 5 minute summary index. The start time is -6m@m and finish is -1m@m with a cron schedule of 1,6,11,16,21,26,31,36,41,46,51,56 * * * *. If I understand you correctly, if the Splunk server is restarted at 14:30 and the next scheduled search is set to run at 14:31 then it would be skipped?

0 Karma