Deployment Architecture

Why is backfilled summary index data not showing?

Contributor

I run the following search on the search head and receive results that I expect:

index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name"

and when I run the following command, I see the searches running in the command line:

./splunk cmd python fill_summary_index.py -name "test_modulo_ss_manderso" -et @month -lt @w -owner e16247 -auth user:pw
Please enter the app that contains the search(es): search

*** For saved search 'test_modulo_ss_manderso' ***

*** Spawning a total of 503 searches (max 1 concurrent) ***

Executing test_modulo_ss_manderso for UTC = 1483250400 (Sun Jan  1 01:00:00 2017)
  waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1483250400_99026'
  ... Finished

...
Executing test_modulo_ss_manderso for UTC = 1485057600 (Sat Jan 21 23:00:00 2017)
  waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1485057600_99868'
  ... Finished

but I don't see the search name in the summary or metrics_summary index.

index=metrics_summary search_name=* host=searchhead| dedup search_name | table search_name

What am I doing wrong here? Thanks for any help.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I believe you need to add |collect index=metrics_summary to your saved search name, or save the search with the "enable summary index" option (as image below).

  index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name" | collect index=metrics_summary

alt text

View solution in original post

0 Karma

Explorer

I am encountering the same problem after upgrading from 6.3.3 --> 6.5.1

0 Karma

SplunkTrust
SplunkTrust

I believe you need to add |collect index=metrics_summary to your saved search name, or save the search with the "enable summary index" option (as image below).

  index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name" | collect index=metrics_summary

alt text

View solution in original post

0 Karma

Contributor

Turns out I needed to add
| sitimechart dc(Coordinator)
to the search in order to complete the summary index search requirements. Once I did that, I could backfill the data with Summary indexing enabled. Thanks for the help.

Contributor

Neither of those seemed to work, unfortunately. I first tried enabling the summary indexing in the search by checking enable, ran the python command string, and nothing showed up in the summary or metrics_summary index. Then I unchecked the summary indexing box and added the |collect index=metrics_summary string to the search, and ran the python command again. Still, nothing shows in metrics_summary.

0 Karma

SplunkTrust
SplunkTrust

is it going to the index=summary instead?

0 Karma

Contributor

Nope, checked that as well.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!