Solved: Scheduled saved search for filling Summary index v...

Dark_Ichigo · ‎06-03-2012

I have created a summary index and a saved search to run via cron configured in saved_searches.conf, the only issue is that its not running at the specified time and if it managed to run, it doesn't fill up the summary index, UNLESS I manually click on "Jobs" and select the scheduled saved search thats running in the background and run it my self, then it will be successfully filled.

What could be the reason for this behaviour?

I have taken a look at some of the other questions but they dont seem to solve my issue.

Below is a copy of one of my scheduled saved Searches:

[Saved_Search]
action.email.inline = 1
action.summary_index = 0
action.summary_index._name = Summary
alert.severity = 2
alert.suppress = 1
alert.suppress.period = 1h
alert.track = 1
cron_schedule = 07 15 * * *
description = <Description>
dispatch.earliest_time = -29d@d
dispatch.latest_time = now
enableSched = 0
realtime_schedule = 1
search = `saved_search`

Ayn · ‎07-05-2012

You've set action.summary_index to 0.

EDIT: ...and also you've set enableSched to 0.

View solution in original post

Ayn · ‎07-05-2012

You've set action.summary_index to 0.

EDIT: ...and also you've set enableSched to 0.

Scheduled saved search for filling Summary index via Cron, not running

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life