Unable to save summary search because summary inde...

the_wolverine · ‎10-09-2014

Our summary index is not recognized in UI when attempt to save a scheduled search to write to it. These indexes are just like any other index.

ERROR SavedSearchAdminHandler - Index name=summary_test does not exist. The summary index must exist in order for a scheduled search to populate it.

False. The index exists.

We use a SH_POOL and Distributed search. Summary indexed data will go to indexers.

We are being told that a "stub" index needs to be created on the SH -- why? Why is Splunk able to write to any other index but not a summary index without a "stub" being created on the SH? It appears to be a bug.

yannK · ‎10-10-2014

If the index is created on the indexers, but not on the search-heads, the SH may complain when you are trying to select it.
Quick workaround, define the index on the SH, but forwar the data to the indexer anyway.

ben_leung · ‎07-14-2016

Is this issue still in version 6.3+ ?

the_wolverine · ‎10-13-2014

What is the reason for this and where is the documentation that explains the issue?

jrodman · ‎10-10-2014

This is a current limitation in the Splunk UI.

Unable to save summary search because summary index is missing

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies