Knowledge Management

Backfill operation runs but summary index not populated

beaumaris
Communicator

I have a saved search that i am running using the backfill script, but the data isn't showing up in the summary index. The search runs fine in flashtimeline, so I know it's not that, and here is the definition for reference:

[Do Not Click - Summary Index - Requests Server Node Type] action.email.sendpdf = 0 action.summary_index = 1 action.summary_index.report = requests_host_nodetype cron_schedule = 0 * * * * dispatch.earliest_time = -70m@m dispatch.latest_time = -10m@m enableSched = 1 realtime_schedule = 0 search = index="cdnmanager" | bucket span=15m _time | stats count by _time, Server, Node_Type

When I run this using

./splunk cmd python fill_summary_index.py -et -1d@d -lt now -app CDNSummarization -name "Do Not Click - Summary Index - Requests Server Node Type" -auth admin:changeme -j 8 -showprogress true -owner admin –dedup true

it definitely runs, various threads show % complete progress output, yet there is no data in the summary index ("index=cdnmanager report=requests_host_nodetype | head 100" returns No results found). I've tried a number of different things, compared this to other searches that work, looked through all kinds of log files, and have no idea why the summary index is not getting populated. Any thoughts on what to investigate will be appreciated

Tags (1)

MuS
SplunkTrust
SplunkTrust

Hi beaumaris

looking at your savedsearches.conf example it looks like you're missing the summary index name

action.summary_index._name = cdnmanager

if you don't define this, your summary index will be the default one which is called summary.
Also your search string in the savedsearches.conf should not include the summary index as search index.

beaumaris
Communicator

The results of the search are supposed to go to the 'summary' index. The 'cdnmanager' index is where the raw events are captured, so I believe the search string is defined correctly and that the basic summary search definition is defined correctly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...