Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fill_Summary_Index.py fails after a summary index source delete

lukejadamec
Super Champion
‎09-26-2013 05:53 PM

I created a summary index, and populated it with a search.
I found later that the search was flawed, so I deleted the source from that index:
index=summary-myindex source=summarysource | delete

So far, all attempts to use fill_summary_index.py have failed for the Corrected Search. I have tried a new index.

When I run the search on the original non-summary index, the results are normal. If I try to use fill_summary_index.py the result is nothing. The fill_summary_index.py runs without errors, but nothing is added to the specified summary index – Manager>Indexes shows nothing in the index.

I created a new scheduled search with a new name (source) with the corrected search, but nothing is added to the new summary-index. When run manually there are results.

What am I missing?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎10-01-2013 05:09 PM

Time. I found I was missing time.

A few days later when I got around to looking at the problem again, the same populating search that had populated nothing earlier started populating the summary index.

This has to be a bug, but I can't quite squash it yet. When I get more time I'll look into it...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎10-01-2013 05:09 PM

Time. I found I was missing time.

A few days later when I got around to looking at the problem again, the same populating search that had populated nothing earlier started populating the summary index.

This has to be a bug, but I can't quite squash it yet. When I get more time I'll look into it...

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎12-12-2013 06:51 PM

I'm a big fan of dedup, and I was using it. I'm gonna have to check my .stash results for something missing....
Thanks

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎12-12-2013 06:49 PM

(due to the char limit I couldn't include this bit above).

The other possibility was that the .stash results were not being ingested by the indexer for some reason (normally only an issue in distributed environments).

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎12-12-2013 06:47 PM

Normally that will only occur if you had ANY event in that summary index for that timeframe. This checking is only done if you use the "-dedup true" command line option.
There is also an issue with the script's dedup search (line #33) if your in a distributed environment (multiple indexes + search heads). Edit it and remove the "splunk_server=local" section. In a nutshell it does a simple check for existing events for that time span in the summary index. If it find ANYTHING at all in a search time frame the search will not run for that particular time frame and will be reported as "skipped".

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...