fill_summary_index.py not working

ayusuf · ‎08-03-2016

I'm running the command below:
sudo -u splunk /opt/splunk/bin/splunk cmd python /opt/splunk/bin/fill_summary_index.py -app search -name eligible -et -y -lt now -j 2 -owner admin -auth admin:password

I get the following back:
*** For saved search 'eligible' ***
No handlers could be found for logger "splunk.rest.format"
No scheduled times for your time range.

No searches to run

I'm not sure what the response back means exactly.
'eligible' is a scheduled search and I'm trying to run that same search but using it to backfill the summary index.

lguinn2 · ‎08-04-2016

Are you running the search on a search head, but the summary index resides on indexers? You might need the -nolocal option.

But I really suspect that you need to include the -owner option, or perhaps change the permissions on the scheduled search eligible

More info on the options: Manage summary index gaps and overlaps

somesoni2 · ‎08-03-2016

Is the scheduling enabled for the search? What is the time range you're using and what is the cron schedule for the search?

ayusuf · ‎08-04-2016

scheduling is enabled for the search. should I disable that?
I'm using Basic and running every minute. My search range is -7mon@mon and -7mon@mon+1h.
But there is data before that I need to backfill.

fill_summary_index.py not working

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?