Knowledge Management

Running search against summary index

New Member

I have a search as follow:

sourcetype="renprodweb" | sistats count by httprespcode

(with the time range is previous month) Using spunk web, I saved the report, enabled Summary Index, scheduled it to run every 15 minutes. I was able to get the data from the search itself. However, when I tried to run a search against the summary index as the following, I received nothing.

index="summary" searchname="summary - stats count" | stats count by httpresp_code

What am I missing here?


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

maybe the field has a typo, try with search_name instead of searchname

Otherwise here are some troubleshooting steps :

  • Do you have permissions to search the summary index ?
    try with index=summary | stats count by search_name

  • Is the summary indexing enabled
    make sure that the spooler batch input is not disabled in the file data inputs $SPLUNK_HOME/var/spool/splunk/...stash_new

  • Is the summary index local or forwarded to another server that is not searchable ?

0 Karma