Knowledge Management

Backfill operation runs but summary index not populated

beaumaris
Communicator

I have a saved search that i am running using the backfill script, but the data isn't showing up in the summary index. The search runs fine in flashtimeline, so I know it's not that, and here is the definition for reference:

[Do Not Click - Summary Index - Requests Server Node Type] action.email.sendpdf = 0 action.summary_index = 1 action.summary_index.report = requests_host_nodetype cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m enableSched = 1 realtime_schedule = 0 search = index="cdnmanager" | bucket span=15m _time | stats count by _time, Server, Node_Type

When I run this using

./splunk cmd python fill_summary_index.py -et -1d@d -lt now -app CDNSummarization -name "Do Not Click - Summary Index - Requests Server Node Type" -auth admin:changeme -j 8 -showprogress true -owner admin –dedup true

it definitely runs, various threads show % complete progress output, yet there is no data in the summary index ("index=cdnmanager report=requests_host_nodetype | head 100" returns No results found). I've tried a number of different things, compared this to other searches that work, looked through all kinds of log files, and have no idea why the summary index is not getting populated. Any thoughts on what to investigate will be appreciated

Tags (1)

MuS
Legend

Hi beaumaris

looking at your savedsearches.conf example it looks like you're missing the summary index name

action.summary_index._name = cdnmanager

if you don't define this, your summary index will be the default one which is called summary.
Also your search string in the savedsearches.conf should not include the summary index as search index.

beaumaris
Communicator

The results of the search are supposed to go to the 'summary' index. The 'cdnmanager' index is where the raw events are captured, so I believe the search string is defined correctly and that the basic summary search definition is defined correctly.

0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...