Knowledge Management

Does summary index query runs bydefault in fast mode?

vikashperiwal
Path Finder

I have my search in "verbose mode" and i have used |collect command to send the data to summary index. till here every thing is rght.
But when i check my summary index query it runs default in "fast Mode", and i am getting less results .

is there any way i can run my summary index in verbose mode by default.

Labels (1)
0 Karma

woodcock
Esteemed Legend

All saved/scheduled searches run as Smart Mode. Always.

0 Karma

vikashperiwal
Path Finder

Just to update more specific issue, my report is actually having issue ..

To summaries: my saved search is returning result in VERBOSE mode and my same is expected when i schedule it to report . BUt issue is my report is returning the result in FAST mode and as a result of which there is data discrepancies.

After having little google and going through docs, it says my query is having "STATS Command " and this is setting my report to run by default in FAST mode.... Can any one suggest any solution

(index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW earliest=-4h@h latest=@h) OR (index=csvlookups source="24*SWITCH"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| eval Call="Inbound"
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| search OPC=* AND DPC=* AND A=*

0 Karma

woodcock
Esteemed Legend

Just add a final | table list all of your desired fields here to the end.

0 Karma

vikashperiwal
Path Finder

Hi ,
This is the query, i have runned it in verbose mode and sent data to summary index. this is running fine. but after i schedule the query the report shows data in fast mode bydefault.there is the issue.

(index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW earliest=-4h@h latest=@h) OR (index=csvloo
kups source="24*SWITCH"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| eval Call="Inbound"
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| search OPC=* AND DPC=* AND A=*|collect index=cdr_enhanced source="test"

0 Karma

woodcock
Esteemed Legend

OK, I should have said, add this before the "collect" command.

0 Karma

vikashperiwal
Path Finder

no this is same ... adding table wont have any impact..

My saved search is running in verbose mode and i have scheduled it .. After the scheduled time the report is triggered but its in Fast mode by default as a result it shows less results.

So the issue is with the instance of report triggerd.

0 Karma

vikashperiwal
Path Finder

just to update , the saved search is running by default in fast mode even the i have saved the query in verbose mode

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...