Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is there no data in my summary index?

xsstest
Communicator
‎04-20-2017 12:01 AM

I built a splunk cluster. I created a lot of alerts on the main search server, some alerts I enabled the summary index, select the summary index for the "alerts", after a long period of time, my index "alerts" no data, why? Is there a problem with my configuration?

alt text

alt text

Tags (1)
Preview file
35 KB
Preview file
22 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xsstest
Communicator
‎05-04-2017 07:15 PM

answser:

In a cluster, if you need to create a summary index, it should not be created on the indexer cluster. You should create a summary index on the search head. Because the results of the search will not be written to the indexer cluster, will only write the summary index in the search header, and finally you need to configure the search header to forward the summary index to your index cluster.

中文:在集群中,如果你需要创建摘要索引,不应该在索引集群上创建。你应该在搜索头上创建摘要索引。因为搜索头产生的结果不会写入索引集群,只会写入搜索头中的摘要索引,最后你需要配置搜索头将摘要索引转发到你的索引集群里。

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xsstest
Communicator
‎05-04-2017 07:15 PM

answser:

In a cluster, if you need to create a summary index, it should not be created on the indexer cluster. You should create a summary index on the search head. Because the results of the search will not be written to the indexer cluster, will only write the summary index in the search header, and finally you need to configure the search header to forward the summary index to your index cluster.

中文:在集群中,如果你需要创建摘要索引,不应该在索引集群上创建。你应该在搜索头上创建摘要索引。因为搜索头产生的结果不会写入索引集群,只会写入搜索头中的摘要索引,最后你需要配置搜索头将摘要索引转发到你的索引集群里。

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-20-2017 12:15 AM

What was the search? Unless something was actually output to the summary index, it will be empty.

You must use commands like sistats, sichart, sitimechart, collect to put data into the summary index.
You might want to review the documentation on summary indexing here.

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎04-20-2017 12:49 AM

I create an "alerts" index, and then in some of the alert to enabled the summary index to "alerts". This two-step setup is done. Is there a problem with this

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...