My hourly sitimechart search has a "status=success...

lycollicott · ‎04-21-2019

I don't understand why nothing is in the summary index. How can something return rows via sitimechart, but not put those rows in summary?

Here's a log sample:

04-21-2019 11:00:14.786 -0600 INFO SavedSplunker - savedsearch_id="XXXX", search_type="", user="XXXX", app="XXXX", savedsearch_name="XXXX", priority=default, status=success, digest_mode=1, scheduled_time=1555866000, window_time=0, dispatch_time=1555866006, run_time=6.735, result_count=120, alert_actions="", sid="scheduler_bGFycnkuY29sbGljb3R0QHNraWxsc29mdC5jb20_c3NfcGVyY2lwaW9fZGV2b3Bz__RMD5439b9da34a2a9151_at_1555866000_38286_CCC35F19-6371-4001-A55C-2A0F698DBD5C", suppressed=0, thread_id="AlertNotifierWorker-0"

04-21-2019 11:00:14.893 -0600 INFO SavedSplunker - user="XXXX", app="XXXX", savedsearch_name="XXXX", status=delegated_remote_completion, scheduled_time=1555866000, member_guid=CCC35F19-6371-4001-A55C-2A0F698DBD5C, member_label="XXXX", member_URI="https://XXXX:8089", sid=scheduler_bGFycnkuY29sbGljb3R0QHNraWxsc29mdC5jb20_c3NfcGVyY2lwaW9fZGV2b3Bz__RMD5439b9da34a2a9151_at_1555866000_38286_CCC35F19-6371-4001-A55C-2A0F698DBD5C, success=1

My hourly sitimechart search has a "status=success" and a "return_count=120", but "success=1" with nothing in the summary index

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024