Knowledge Management

Single summary index match not visible with search_name?

smisplunk
Path Finder

I've got a summary index query which currently matches only one (1) event in my existing data. I've run the fill_summary_index.py to backfill the data for that time period. When I attempt to fetch it via a search:

index=<summary_index> search_name="<name_of_saved_search>"

No results are retrieved. If I reduce my search to inspect any record in the summary index, I see there there is a "source" field with the name of my saved search, but no matching entry in the search_name field. Is "source" preferred to find the summary index entries, or should I still be using search_name?

Tags (1)
0 Karma
1 Solution

smisplunk
Path Finder

Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:

[Summarize Top Spam Relays by 30min]
...
search = eventtype=mail_disposition categorization=spam\
| dedup host, qid
| sitop limit=100 showperc=false relay, host, cluster
...

There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".

View solution in original post

0 Karma

smisplunk
Path Finder

Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:

[Summarize Top Spam Relays by 30min]
...
search = eventtype=mail_disposition categorization=spam\
| dedup host, qid
| sitop limit=100 showperc=false relay, host, cluster
...

There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

The recommended way to access the summary events is to use source="". Usin search_name="" should work too, so I'm a little puzzled. Can you post how the event looks like and what version of splunk are you running?

0 Karma

smisplunk
Path Finder

Running 4.1.2.

It's also apparently not only "single" summary events. I've got a set of eleven (11) summary index searches configured on my system. If I just search the summary index for any row, I come up with 365,429 events for today. No problem. However, in the field picker, the "source" field identifies the full 11 summary indexes ("source appears in 100% of results"), while search_name only comes up with 9 different summary index searches, and "search_name appears in 44% of results". Yes, that's right, "search_name" only shows up in about 160k of those 365k records.

0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...