Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Question about fixing data in a summary search

burwell
SplunkTrust
SplunkTrust
‎10-17-2016 05:41 PM

We have a summary search that runs every hour. I have read about the fill_summary_index.py

What i want to know is how do I fix data from several weeks ago. Things changed a few weeks ago and I need to adjust the summary search. Going forward things are good but how can I run the fill_summary_index.py and have it replace the data that is there?

I feel like with the dedup setting it would either skip or add into what I have. How do I replace for a time period.. or can I?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2016 08:20 PM

I generally delete the corrupted/incomplete data from summary index and then backfill.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-17-2016 08:20 PM

I generally delete the corrupted/incomplete data from summary index and then backfill.

Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎10-18-2016 09:59 AM

How do you delete the corrupt/incomplete data?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-18-2016 10:04 AM

We run the delete command to delete (technically it just makes the data unsearchable) the required data. We run a search with appropriate data-source (index/sourcetype/source/host) and time range, check if the search is returning the data that you want to delete, and then add "| delete " command at the end to delete/make-unsearchable the same. This link should give you more details on the delete command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/RemovedatafromSplunk#Delete_data_from_future...

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎10-26-2016 07:08 PM

Thanks. If you post in the answers I will mark this as answered.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-18-2016 05:36 AM

We do the same.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...