Knowledge Management

Does summary index query runs bydefault in fast mode?

vikashperiwal
Path Finder

I have my search in "verbose mode" and i have used |collect command to send the data to summary index. till here every thing is rght.
But when i check my summary index query it runs default in "fast Mode", and i am getting less results .

is there any way i can run my summary index in verbose mode by default.

Labels (1)
0 Karma

woodcock
Esteemed Legend

All saved/scheduled searches run as Smart Mode. Always.

0 Karma

vikashperiwal
Path Finder

Just to update more specific issue, my report is actually having issue ..

To summaries: my saved search is returning result in VERBOSE mode and my same is expected when i schedule it to report . BUt issue is my report is returning the result in FAST mode and as a result of which there is data discrepancies.

After having little google and going through docs, it says my query is having "STATS Command " and this is setting my report to run by default in FAST mode.... Can any one suggest any solution

(index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW earliest=-4h@h latest=@h) OR (index=csvlookups source="24*SWITCH"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| eval Call="Inbound"
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| search OPC=* AND DPC=* AND A=*

0 Karma

woodcock
Esteemed Legend

Just add a final | table list all of your desired fields here to the end.

0 Karma

vikashperiwal
Path Finder

Hi ,
This is the query, i have runned it in verbose mode and sent data to summary index. this is running fine. but after i schedule the query the report shows data in fast mode bydefault.there is the issue.

(index=ndspr sourcetype=ISUP_EVENT_ACCESS_VW earliest=-4h@h latest=@h) OR (index=csvloo
kups source="24*SWITCH"earliest=-30d@d latest=@d)
| eval N=coalesce(N,DPC) , O=coalesce(O,OPC) , K=coalesce(K,CIC)
| search N=* AND O=* AND K=*
| eventstats values(OPC) as OPC values(DPC) as DPC values(CLLI) as CLLI values(ADMININF) as ADMININF values(ADNUM) as ADNUM values(TRKGRSIZ) as TRKGRSIZ values(NETNAME) as NETNAME values(SWITCH) as SWITCH values(MEMNAME) as MEMNAME values(ROUTESET) as ROUTESET values(CIC) as CIC by N O K
| eval Call="Inbound"
| fields A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| table _time A B C D E F G H I J L M P Q R S T U V W X Y Z A1 A2 A3 A4 A5 N OPC O DPC K CIC CLLI ADMININF ADNUM TRKGRSIZ NETNAME SWITCH MEMNAME ROUTESET Call
| search OPC=* AND DPC=* AND A=*|collect index=cdr_enhanced source="test"

0 Karma

woodcock
Esteemed Legend

OK, I should have said, add this before the "collect" command.

0 Karma

vikashperiwal
Path Finder

no this is same ... adding table wont have any impact..

My saved search is running in verbose mode and i have scheduled it .. After the scheduled time the report is triggered but its in Fast mode by default as a result it shows less results.

So the issue is with the instance of report triggerd.

0 Karma

vikashperiwal
Path Finder

just to update , the saved search is running by default in fast mode even the i have saved the query in verbose mode

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...