- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: Is there anything wrong with my saved Search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there anything wrong with my saved Search?
I have identified a saved search located in savedsearches.conf, the main search in macros.conf works fine and outputs data, but for some reason this is nor being populated within the Summary Index specified:
[Stanza_Name]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = SummaryIndex
alert.severity = 2
alert.suppress = 1
alert.suppress.period = 1h
alert.track = 1
# run hourly
cron_schedule = 5 * * * *
description = <description_here>
dispatch.earliest_time = -1h@h
dispatch.latest_time = now
enableSched = 1
realtime_schedule = 0
search = `Search_Query`
All the other saved searches work fine and are populating the summary index specified and at the right Cron time, Like I said before I have tested the actual search and I can see results, what could be the issue?
Quick Update:
I searched for the Jobs running in the background for all of the saved searches and found that the specific search that was not populating the summary index was in face running every 5min, so I click on the link for the actual search running and got this:
`Search_Query` | summaryindex spool=t uselb=t addtime=t index="SummaryIndex" file="Search_Query_136539995.stash_new" name="Stanza_Name" marker=""
But the Time Range picker was set at a certain time to not collect data older than 5pm for today, which is what I expect as I am running the search every 5m to populate the summary index.
So I switched it to "All Time" and got some results and to my surprise the whole summary index was populated?, Whats going on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this search(Search_Query) in the flashtimeline(in your app). In the timerange picker,select custom time range. In that specify the earliest and latest time values as those specified in your saved search. If that does not give you results, it means the data required by your search is not present in the specified time range. Either add data and try again or else change the time range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been using Splunk for 3 Years now, that is obviously one of the first things I tried, I do get results, but the Summary Index isn't being populated.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
