Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is backfilled summary index data not showing?

manderson7
Contributor
‎01-30-2017 05:38 AM

I run the following search on the search head and receive results that I expect:

index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name"

and when I run the following command, I see the searches running in the command line:

./splunk cmd python fill_summary_index.py -name "test_modulo_ss_manderso" -et @month -lt @w -owner e16247 -auth user:pw
Please enter the app that contains the search(es): search

*** For saved search 'test_modulo_ss_manderso' ***

*** Spawning a total of 503 searches (max 1 concurrent) ***

Executing test_modulo_ss_manderso for UTC = 1483250400 (Sun Jan  1 01:00:00 2017)
  waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1483250400_99026'
  ... Finished

...
Executing test_modulo_ss_manderso for UTC = 1485057600 (Sat Jan 21 23:00:00 2017)
  waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1485057600_99868'
  ... Finished

but I don't see the search name in the summary or metrics_summary index.

index=metrics_summary search_name=* host=searchhead| dedup search_name | table search_name

What am I doing wrong here? Thanks for any help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-30-2017 06:22 AM

I believe you need to add |collect index=metrics_summary to your saved search name, or save the search with the "enable summary index" option (as image below).

  index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name" | collect index=metrics_summary

alt text

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

johnjj7141
Explorer
‎01-31-2017 05:57 AM

I am encountering the same problem after upgrading from 6.3.3 --> 6.5.1

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-30-2017 06:22 AM

I believe you need to add |collect index=metrics_summary to your saved search name, or save the search with the "enable summary index" option (as image below).

  index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name" | collect index=metrics_summary

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

manderson7
Contributor
‎02-01-2017 05:42 AM

Turns out I needed to add
| sitimechart dc(Coordinator)
to the search in order to complete the summary index search requirements. Once I did that, I could backfill the data with Summary indexing enabled. Thanks for the help.

Reply
Solved! Jump to solution

manderson7
Contributor
‎01-30-2017 10:12 AM

Neither of those seemed to work, unfortunately. I first tried enabling the summary indexing in the search by checking enable, ran the python command string, and nothing showed up in the summary or metrics_summary index. Then I unchecked the summary indexing box and added the |collect index=metrics_summary string to the search, and ran the python command again. Still, nothing shows in metrics_summary.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-30-2017 10:41 AM

is it going to the index=summary instead?

0 Karma
Reply
Solved! Jump to solution

manderson7
Contributor
‎01-30-2017 10:44 AM

Nope, checked that as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...