Not getting data from summary index

1200125 · ‎03-26-2020

We have created a summary Index in Splunk with a cron schedule to run every 15 minutes but while using that Summary Index ad setting the time as today ,We are not getting any data,WHat could be the reason ?

woodcock · ‎03-26-2020

Even though the Summary Index exists on the Indexers, if you do not have an indexes.conf file on your Search Head that defines Webtop_UCF_Operations then you will NOT be able to write to it. Read from it, yes, but not write. Yes, I am totally serious.

rashi83 · ‎03-27-2020

What if summary index exists on SH only . Issue is the scheduled search doesn't run every time even with job priority set as Highest. Is this happening because its been run too frequently ?

OR should this summary index be created in Indexer first ?
@woodcock

woodcock · ‎03-27-2020

Create a real index on the indexers that will get the data and a fake one on the Search Head that will never get data.

rashi83 · ‎03-27-2020

@woodcock - that mean scheduled search / report will also need to be scheduled on Indexer itself instead of SH.

Is there any documentation in particular from Splunk about this .

woodcock · ‎03-27-2020

NO! Your Search Head should be configured as per best-practices to forward all events to the Indexers. All events from anywhere/everywhere go to Indexers.

Not getting data from summary index

summary indexing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!