I run the following search on the search head and receive results that I expect:
index=c_metrics Severity!="Very Low" sourcetype="MODULO:JSON" Coordinator="Name"
and when I run the following command, I see the searches running in the command line:
./splunk cmd python fill_summary_index.py -name "test_modulo_ss_manderso" -et @month -lt @w -owner e16247 -auth user:pw Please enter the app that contains the search(es): search *** For saved search 'test_modulo_ss_manderso' *** *** Spawning a total of 503 searches (max 1 concurrent) *** Executing test_modulo_ss_manderso for UTC = 1483250400 (Sun Jan 1 01:00:00 2017) waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1483250400_99026' ... Finished ... Executing test_modulo_ss_manderso for UTC = 1485057600 (Sat Jan 21 23:00:00 2017) waiting for job sid = 'e16247__e16247__search__RMD535cc29626b6c4a10_at_1485057600_99868' ... Finished
but I don't see the search name in the summary or metrics_summary index.
index=metrics_summary search_name=* host=searchhead| dedup search_name | table search_name
What am I doing wrong here? Thanks for any help.
Turns out I needed to add
| sitimechart dc(Coordinator)
to the search in order to complete the summary index search requirements. Once I did that, I could backfill the data with Summary indexing enabled. Thanks for the help.
Neither of those seemed to work, unfortunately. I first tried enabling the summary indexing in the search by checking enable, ran the python command string, and nothing showed up in the summary or metrics_summary index. Then I unchecked the summary indexing box and added the |collect index=metrics_summary string to the search, and ran the python command again. Still, nothing shows in metrics_summary.