Knowledge Management
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Not getting data from summary index
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not getting data from summary index
1200125
Engager
03-26-2020
05:41 AM
We have created a summary Index in Splunk with a cron schedule to run every 15 minutes but while using that Summary Index ad setting the time as today ,We are not getting any data,WHat could be the reason ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-26-2020
07:13 AM
Even though the Summary Index exists on the Indexers, if you do not have an indexes.conf file on your Search Head that defines Webtop_UCF_Operations then you will NOT be able to write to it. Read from it, yes, but not write. Yes, I am totally serious.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rashi83
Path Finder
03-27-2020
07:07 AM
What if summary index exists on SH only . Issue is the scheduled search doesn't run every time even with job priority set as Highest. Is this happening because its been run too frequently ?
OR should this summary index be created in Indexer first ?
@woodcock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-27-2020
08:47 AM
Create a real index on the indexers that will get the data and a fake one on the Search Head that will never get data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rashi83
Path Finder
03-27-2020
09:02 AM
@woodcock - that mean scheduled search / report will also need to be scheduled on Indexer itself instead of SH.
Is there any documentation in particular from Splunk about this .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-27-2020
09:32 AM
NO! Your Search Head should be configured as per best-practices to forward all events to the Indexers. All events from anywhere/everywhere go to Indexers.
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
