Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Backfill operation runs but summary index not populated

beaumaris
Communicator
‎01-14-2011 05:04 AM

I have a saved search that i am running using the backfill script, but the data isn't showing up in the summary index. The search runs fine in flashtimeline, so I know it's not that, and here is the definition for reference:

[Do Not Click - Summary Index - Requests Server Node Type] action.email.sendpdf = 0 action.summary_index = 1 action.summary_index.report = requests_host_nodetype cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m enableSched = 1 realtime_schedule = 0 search = index="cdnmanager" | bucket span=15m _time | stats count by _time, Server, Node_Type

When I run this using

./splunk cmd python fill_summary_index.py -et -1d@d -lt now -app CDNSummarization -name "Do Not Click - Summary Index - Requests Server Node Type" -auth admin:changeme -j 8 -showprogress true -owner admin –dedup true

it definitely runs, various threads show % complete progress output, yet there is no data in the summary index ("index=cdnmanager report=requests_host_nodetype | head 100" returns No results found). I've tried a number of different things, compared this to other searches that work, looked through all kinds of log files, and have no idea why the summary index is not getting populated. Any thoughts on what to investigate will be appreciated

Tags (1)
Reply

MuS
SplunkTrust
SplunkTrust
‎09-28-2011 04:16 AM

Hi beaumaris

looking at your savedsearches.conf example it looks like you're missing the summary index name 

action.summary_index._name = cdnmanager

if you don't define this, your summary index will be the default one which is called summary.
Also your search string in the savedsearches.conf should not include the summary index as search index.

Reply

beaumaris
Communicator
‎10-25-2011 11:42 AM

The results of the search are supposed to go to the 'summary' index. The 'cdnmanager' index is where the raw events are captured, so I believe the search string is defined correctly and that the basic summary search definition is defined correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...