- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: Summary Index Backfill - Skipped
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summary Index Backfill - Skipped
Hello
I have a scheduled search that populates a summary index. I would like to backfill that summary index for the last 1 day.
When I run this command:
./splunk cmd python fill_summary_index.py -app test_app -name "Report - test" -et -1d@d -lt @d -j 1 -dedup true -nolocal true -auth admin:xxxxx -index sum_test -showprogress true
I get a message:
"Out of 1 scheduled times, 1 will be skipped because they already exist"
Thanks for the tips!
Rodrigo Ribeiro
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like some data is available for the time period you want to backfill. Did the regular schedule of your summary index ran already (and it might have some missing data that you want to backfill)? The flag -dedup will skip the backfill execution if the summary index data for the same period already exist. See Note on following Doc page: https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Managesummaryindexgapsandoverlaps#Use_t...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2,
Exactly, I have a JOB that runs "yesterday" every day, but because an error in a search during execution:
"Unknown error for peer server_splunk003. Search Results might be incomplete. If this occurs frequently, please check on the peer"
I have this situation, example:
My JOB scheduled returned 300;
My query ad-hoc in the same period returned 400;
This occurs because a error message, i need to reprocess this difference and add data in summary index...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Easiest way would be to just delete that incomplete data for yesterday and then run backfill.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe my understanding is wrong, this script can be used only in the period i dont have data... That's it?
I thought this script to do a difference too and add fault data, but that does not seem to be the purpose, correct?
Tks,
Rodrigo Ribeiro
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
