I have a saved search that i am running using the backfill script, but the data isn't showing up in the summary index. The search runs fine in flashtimeline, so I know it's not that, and here is the definition for reference:
[Do Not Click - Summary Index - Requests Server Node Type] action.email.sendpdf = 0 action.summary_index = 1 action.summary_index.report = requests_host_nodetype cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m enableSched = 1 realtime_schedule = 0 search = index="cdnmanager" | bucket span=15m _time | stats count by _time, Server, Node_Type
When I run this using
./splunk cmd python fill_summary_index.py -et -1d@d -lt now -app CDNSummarization -name "Do Not Click - Summary Index - Requests Server Node Type" -auth admin:changeme -j 8 -showprogress true -owner admin –dedup true
it definitely runs, various threads show % complete progress output, yet there is no data in the summary index ("index=cdnmanager report=requests_host_nodetype | head 100" returns No results found). I've tried a number of different things, compared this to other searches that work, looked through all kinds of log files, and have no idea why the summary index is not getting populated. Any thoughts on what to investigate will be appreciated
Hi beaumaris
looking at your savedsearches.conf example it looks like you're missing the summary index name
action.summary_index._name = cdnmanager
if you don't define this, your summary index will be the default one which is called summary.
Also your search string in the savedsearches.conf should not include the summary index as search index.
The results of the search are supposed to go to the 'summary' index. The 'cdnmanager' index is where the raw events are captured, so I believe the search string is defined correctly and that the basic summary search definition is defined correctly.