Re: Does summary index query runs bydefault in fas...

vikashperiwal · ‎11-06-2019

I have my search in "verbose mode" and i have used |collect command to send the data to summary index. till here every thing is rght.
But when i check my summary index query it runs default in "fast Mode", and i am getting less results .

is there any way i can run my summary index in verbose mode by default.

woodcock · ‎11-20-2019

All saved/scheduled searches run as Smart Mode. Always.

vikashperiwal · ‎11-20-2019

Just to update more specific issue, my report is actually having issue ..

To summaries: my saved search is returning result in VERBOSE mode and my same is expected when i schedule it to report . BUt issue is my report is returning the result in FAST mode and as a result of which there is data discrepancies.

After having little google and going through docs, it says my query is having "STATS Command " and this is setting my report to run by default in FAST mode.... Can any one suggest any solution

(index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW earliest=-4h@h latest=@h) OR (index=csvlookups source="24*SWITCH"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| eval Call="Inbound"
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| search OPC=* AND DPC=* AND A=*

woodcock · ‎11-06-2019

Just add a final | table list all of your desired fields here to the end.

vikashperiwal · ‎11-06-2019

Hi ,
This is the query, i have runned it in verbose mode and sent data to summary index. this is running fine. but after i schedule the query the report shows data in fast mode bydefault.there is the issue.

(index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW earliest=-4h@h latest=@h) OR (index=csvloo
kups source="24*SWITCH"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| eval Call="Inbound"
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| search OPC=* AND DPC=* AND A=*|collect index=cdr_enhanced source="test"

woodcock · ‎11-07-2019

OK, I should have said, add this before the "collect" command.

vikashperiwal · ‎11-07-2019

no this is same ... adding table wont have any impact..

My saved search is running in verbose mode and i have scheduled it .. After the scheduled time the report is triggered but its in Fast mode by default as a result it shows less results.

So the issue is with the instance of report triggerd.

vikashperiwal · ‎11-06-2019

just to update , the saved search is running by default in fast mode even the i have saved the query in verbose mode

Does summary index query runs bydefault in fast mode?

summary indexing

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes