Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Summary index data is missing .
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summary Index have data from past 6 months . Suddenly i see data missing for 20 days in Aug month . This data was there before. Can you please help on how to get the data back .
I have tried disabling the Summary Index, Restart the Splunk and Enable the Summary Index. This process did not help me.
Any help is highly appreciated.
Thanks.
Anantha.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe this has to do something with Retention period that we assign while creating Summary Index. Initially I gave as 1 month and so the data started disappearing slowely. I have created test_Summary_Index with 1yr of retention period and it all good .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's the first place we looked but doesn't appear to be our issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe this has to do something with Retention period that we assign while creating Summary Index. Initially I gave as 1 month and so the data started disappearing slowely. I have created test_Summary_Index with 1yr of retention period and it all good .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are having this EXACT same issue. The data was there, and it has just disappeared. What's odd as well as that it's a chunk of data in the middle of time and we still have data prior to and after the now missing data; that was there before.
We cannot backfill either as the base index has had the data roll off already.
We have a support case open and will be reporting this as another another customer is having the same issue out of no where.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have data in summary index in Jun, Jul and Sep month? If yes then troubleshoot why data was missing for 20 days, someone disabled Scheduled search which was ingesting data in summary index OR scheduled search which was ingesting data in summary index skipped for 20 days (This is very unlikely) (These are only two possibilities but there might be more possibilities.) ?
As a last resort if raw data available in original index for month of Aug from which you are ingesting data into summary index then you can backfill data in summary index. Have a look at doc https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Managesummaryindexgapsandoverlaps
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
