Knowledge Management

Single summary index match not visible with search_name?

smisplunk
Path Finder

I've got a summary index query which currently matches only one (1) event in my existing data. I've run the fill_summary_index.py to backfill the data for that time period. When I attempt to fetch it via a search:

index=<summary_index> search_name="<name_of_saved_search>"

No results are retrieved. If I reduce my search to inspect any record in the summary index, I see there there is a "source" field with the name of my saved search, but no matching entry in the search_name field. Is "source" preferred to find the summary index entries, or should I still be using search_name?

Tags (1)
0 Karma
1 Solution

smisplunk
Path Finder

Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:

[Summarize Top Spam Relays by 30min]
...
search = eventtype=mail_disposition categorization=spam\
| dedup host, qid
| sitop limit=100 showperc=false relay, host, cluster
...

There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".

View solution in original post

0 Karma

smisplunk
Path Finder

Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:

[Summarize Top Spam Relays by 30min]
...
search = eventtype=mail_disposition categorization=spam\
| dedup host, qid
| sitop limit=100 showperc=false relay, host, cluster
...

There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

The recommended way to access the summary events is to use source="". Usin search_name="" should work too, so I'm a little puzzled. Can you post how the event looks like and what version of splunk are you running?

0 Karma

smisplunk
Path Finder

Running 4.1.2.

It's also apparently not only "single" summary events. I've got a set of eleven (11) summary index searches configured on my system. If I just search the summary index for any row, I come up with 365,429 events for today. No problem. However, in the field picker, the "source" field identifies the full 11 summary indexes ("source appears in 100% of results"), while search_name only comes up with 9 different summary index searches, and "search_name appears in 44% of results". Yes, that's right, "search_name" only shows up in about 160k of those 365k records.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...