I've got a summary index query which currently matches only one (1) event in my existing data. I've run the fill_summary_index.py to backfill the data for that time period. When I attempt to fetch it via a search:
No results are retrieved. If I reduce my search to inspect any record in the summary index, I see there there is a "source" field with the name of my saved search, but no matching entry in the search_name field. Is "source" preferred to find the summary index entries, or should I still be using search_name?
The recommended way to access the summary events is to use source="". Usin search_name="" should work too, so I'm a little puzzled. Can you post how the event looks like and what version of splunk are you running?
It's also apparently not only "single" summary events. I've got a set of eleven (11) summary index searches configured on my system. If I just search the summary index for any row, I come up with 365,429 events for today. No problem. However, in the field picker, the "source" field identifies the full 11 summary indexes ("source appears in 100% of results"), while searchname only comes up with 9 different summary index searches, and "searchname appears in 44% of results". Yes, that's right, "search_name" only shows up in about 160k of those 365k records.
Hmm, as ashamed as I am to admit it, this was a PEBKAC issue. When I examined the saved search definition within the Splunk Manager, the sitop command was missing. Upon further inspection, the savedsearches.conf had:
[Summarize Top Spam Relays by 30min] ... search = eventtype=mail_disposition categorization=spam\ | dedup host, qid | sitop limit=100 showperc=false relay, host, cluster ...
There should have been another \ after qid. I must have made a cut-and-paste error when duplicating this search from a different "categorization=".