Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issue searching againts Summary Index

dshakespeare_sp
Splunk Employee
Splunk Employee
‎11-12-2012 04:50 AM

Customer reports issue searching againts Summary Index.

They add a summary index as following:
index="foo-bar" host="my-server" earliest=-1w@w latest=-0w@w | xmlkv | sitimechart span=10m max(foo.bar)

When they run the search they can see data inside, however when I try to search via the summary index they do not get any results when doing timechart.

They have found that all the ones that do not work contain a "." in the field that I try to summarize.

Fields that do not contain a dot work fine

Example search.

index="summary" search_name="My Summary" | timechart span=10m max(foo.bar)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dshakespeare_sp
Splunk Employee
Splunk Employee
‎11-12-2012 04:53 AM

Splunk have identified an issue whereby Splunk's key cleaning rules are being applied to summary indexes (any field that contains characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_).

Defect ticket SPL-58300 has been raised for this issue

A workaround is possible by adding CLEAN_KEYS=0 the [stash_extract]
stanza in $SPLUNK/etc/system/local/transforms.conf

View solution in original post

Reply
Solved! Jump to solution
Solution

dshakespeare_sp
Splunk Employee
Splunk Employee
‎11-12-2012 04:53 AM

Splunk have identified an issue whereby Splunk's key cleaning rules are being applied to summary indexes (any field that contains characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_).

Defect ticket SPL-58300 has been raised for this issue

A workaround is possible by adding CLEAN_KEYS=0 the [stash_extract]
stanza in $SPLUNK/etc/system/local/transforms.conf

Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...