Knowledge Management

Single summary index match not visible with search_name?

smisplunk
Path Finder

I've got a summary index query which currently matches only one (1) event in my existing data. I've run the fill_summary_index.py to backfill the data for that time period. When I attempt to fetch it via a search:

index=<summary_index> search_name="<name_of_saved_search>"

No results are retrieved. If I reduce my search to inspect any record in the summary index, I see there there is a "source" field with the name of my saved search, but no matching entry in the search_name field. Is "source" preferred to find the summary index entries, or should I still be using search_name?

Tags (1)
0 Karma
1 Solution

smisplunk
Path Finder

Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:

[Summarize Top Spam Relays by 30min]
...
search = eventtype=mail_disposition categorization=spam\
| dedup host, qid
| sitop limit=100 showperc=false relay, host, cluster
...

There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".

View solution in original post

0 Karma

smisplunk
Path Finder

Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:

[Summarize Top Spam Relays by 30min]
...
search = eventtype=mail_disposition categorization=spam\
| dedup host, qid
| sitop limit=100 showperc=false relay, host, cluster
...

There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

The recommended way to access the summary events is to use source="". Usin search_name="" should work too, so I'm a little puzzled. Can you post how the event looks like and what version of splunk are you running?

0 Karma

smisplunk
Path Finder

Running 4.1.2.

It's also apparently not only "single" summary events. I've got a set of eleven (11) summary index searches configured on my system. If I just search the summary index for any row, I come up with 365,429 events for today. No problem. However, in the field picker, the "source" field identifies the full 11 summary indexes ("source appears in 100% of results"), while search_name only comes up with 9 different summary index searches, and "search_name appears in 44% of results". Yes, that's right, "search_name" only shows up in about 160k of those 365k records.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...