Solved: Issue with Summary Indexing, saved searches runs f...

somesoni2 · ‎07-10-2013

I have a set of 10 saved searches which are doing summary indexing. These searches are running every minute. All the searches run fine and returns data when runs manually. They also return data when running through Saved Searches [as per _internal log (index=_internal sourcetype=scheduler )], but sometimes the data is not written into summary index for some of the searches.
This happens very randomly. I have verified the _internal logs and there is result_count > 0 for searches. There is no error or warning reported.
What could be the reason for the same and what all troubleshooting steps I can try out for it?

yannK · ‎09-19-2013

Look in the spooler for files that were skipped.
$SPLUNK_HOME/var/spool/splunk

If you find many old files, this is a know bug for version prior to 5.0.3
see http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

View solution in original post

yannK · ‎09-19-2013

Look in the spooler for files that were skipped.
$SPLUNK_HOME/var/spool/splunk

If you find many old files, this is a know bug for version prior to 5.0.3
see http://answers.splunk.com/answers/70072/summary-indexing-blocked-and-binary-file-warning

my_splunk · ‎09-19-2013

Hi somesoni2, i have a problem as your with my saved searches. Have you found a solution?

Issue with Summary Indexing, saved searches runs fine but summary index data is not written sometimes

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms