Knowledge Management

Issue searching againts Summary Index

dshakespeare_sp
Splunk Employee
Splunk Employee

Customer reports issue searching againts Summary Index.

They add a summary index as following:
index="foo-bar" host="my-server" earliest=-1w@w latest=-0w@w | xmlkv | sitimechart span=10m max(foo.bar)

When they run the search they can see data inside, however when I try to search via the summary index they do not get any results when doing timechart.

They have found that all the ones that do not work contain a "." in the field that I try to summarize.

Fields that do not contain a dot work fine

Example search.

index="summary" search_name="My Summary" | timechart span=10m max(foo.bar)

Tags (1)
0 Karma
1 Solution

dshakespeare_sp
Splunk Employee
Splunk Employee

Splunk have identified an issue whereby Splunk's key cleaning rules are being applied to summary indexes (any field that contains characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_).

Defect ticket SPL-58300 has been raised for this issue

A workaround is possible by adding CLEAN_KEYS=0 the [stash_extract]
stanza in $SPLUNK/etc/system/local/transforms.conf

View solution in original post

dshakespeare_sp
Splunk Employee
Splunk Employee

Splunk have identified an issue whereby Splunk's key cleaning rules are being applied to summary indexes (any field that contains characters that are not in a-z, A-Z, and 0-9 ranges are replaced with an underscore (_).

Defect ticket SPL-58300 has been raised for this issue

A workaround is possible by adding CLEAN_KEYS=0 the [stash_extract]
stanza in $SPLUNK/etc/system/local/transforms.conf

Get Updates on the Splunk Community!

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...