Knowledge Management

Is there anything wrong with my saved Search?

Dark_Ichigo
Builder

I have identified a saved search located in savedsearches.conf, the main search in macros.conf works fine and outputs data, but for some reason this is nor being populated within the Summary Index specified:

[Stanza_Name]
action.email.inline = 1
action.summary_index = 1
action.summary_index._name = SummaryIndex
alert.severity = 2
alert.suppress = 1
alert.suppress.period = 1h
alert.track = 1
# run hourly
cron_schedule = 5 * * * *
description = <description_here>
dispatch.earliest_time = -1h@h
dispatch.latest_time = now
enableSched = 1
realtime_schedule = 0
search = `Search_Query`

All the other saved searches work fine and are populating the summary index specified and at the right Cron time, Like I said before I have tested the actual search and I can see results, what could be the issue?

Quick Update:

I searched for the Jobs running in the background for all of the saved searches and found that the specific search that was not populating the summary index was in face running every 5min, so I click on the link for the actual search running and got this:

`Search_Query` | summaryindex spool=t uselb=t addtime=t index="SummaryIndex" file="Search_Query_136539995.stash_new" name="Stanza_Name" marker=""

But the Time Range picker was set at a certain time to not collect data older than 5pm for today, which is what I expect as I am running the search every 5m to populate the summary index.

So I switched it to "All Time" and got some results and to my surprise the whole summary index was populated?, Whats going on?

0 Karma

RohiniJindam
Path Finder

Run this search(Search_Query) in the flashtimeline(in your app). In the timerange picker,select custom time range. In that specify the earliest and latest time values as those specified in your saved search. If that does not give you results, it means the data required by your search is not present in the specified time range. Either add data and try again or else change the time range.

0 Karma

Dark_Ichigo
Builder

I have been using Splunk for 3 Years now, that is obviously one of the first things I tried, I do get results, but the Summary Index isn't being populated.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...