Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Is My Summary Index Not Being Populated?

bill_bartlett
Path Finder
‎04-06-2015 01:58 PM

I've been scratching my head for a couple of days trying to figure this out without success.

In following the Summary Index Knowledge Manual article titled "Usesummaryindexing" I believe I have the search scheduled correctly. I don't have the karma to post screenshots or links, so I'll do my best to describe the problem.

  • search name "summary_prod_5min"
  • search: index=prod | rex "(?<"LOG">.{300})" | sitop limit=100 LOG (I had to quote "LOG" for the wiki text parser. the actual search contains no quotes around LOG)
  • start time: -6m end time: -1m (to account for the slight lag in indexing..)
  • scheduled every 5 minutes (2,7,12,17,22,27,etc etc)
  • all default alert settings with no email, script, triggered alerts, etc.
  • summary indexing enabled to summary index called "ops_summary"
  • added field "report" with value of "prod_5min"

As far as I can tell, this is correctly configured. I also made sure that the ops_summary index is configured on the search head:

(root@splunkSH) splunk > bin/splunk cmd btool indexes list | sed -n -e '/ops_summary/,/\[/ p'
[ops_summary]
assureUTF8 = false
blockSignSize = 0
blockSignatureDatabase = _thefishbucket
bucketRebuildMemoryHint = auto
coldPath = $SPLUNK_DB/ops_summary/colddb
coldPath.maxDataSizeMB = 0
coldToFrozenDir =
coldToFrozenScript =
compressRawdata = true
defaultDatabase = _thefishbucket
enableOnlineBucketRepair = true
enableRealtimeSearch = true
frozenTimePeriodInSecs = 188697600
homePath = $SPLUNK_DB/ops_summary/db
homePath.maxDataSizeMB = 0
hotBucketTimeRefreshInterval = 10
indexThreads = auto
maxBloomBackfillBucketAge = 30d
maxBucketSizeCacheEntries = 0
maxConcurrentOptimizes = 1
maxDataSize = auto
maxHotBuckets = 3
maxHotIdleSecs = 0
maxHotSpanSecs = 7776000
maxMemMB = 5
maxMetaEntries = 1000000
maxRunningProcessGroups = 8
maxRunningProcessGroupsLowPriority = 1
maxTimeUnreplicatedNoAcks = 300
maxTimeUnreplicatedWithAcks = 60
maxTotalDataSizeMB = 100000
maxWarmDBCount = 300
memPoolMB = auto
minRawFileSyncSecs = disable
minStreamGroupQueueSize = 2000
partialServiceMetaPeriod = 0
processTrackerServiceInterval = 1
quarantineFutureSecs = 2592000
quarantinePastSecs = 77760000
rawChunkSizeBytes = 131072
repFactor = 0
rotatePeriodInSecs = 60
serviceMetaPeriod = 25
serviceOnlyAsNeeded = true
serviceSubtaskTimingPeriod = 30
streamingTargetTsidxSyncPeriodMsec = 5000
suppressBannerList = _audit
sync = 0
syncMeta = true
thawedPath = $SPLUNK_DB/ops_summary/thaweddb
throttleCheckPeriod = 15
tstatsHomePath = volume:_splunk_summaries/$_index_name/datamodel_summary
warmToColdScript =

The next step was to make sure the search returned results. I went to the search, and clicked "view recent" where I see each run does produce results; in the neighborhood of ~400k per run. I clicked "inspect" and the things that I would suspect to be there, are there. (summary index name is correct, input and output counts are there, summary_index action, etc.)

From what I can tell, everything indicates the summary index is configured appropriately. When I do a simple search, I get no results:

  • earliest=-1h index=ops_summary

I tried to be more specific, and it's still empty:

  • earliest=-1h index=ops_summary report=prod_5min

Can anyone lend some advice on where to look for trouble? I'm happy to provide any additional details as well.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

bill_bartlett
Path Finder
‎04-13-2015 05:43 PM

Well, this has been solved.

First, using the summary index commands only works with the default "summary" index. If, as I had, you try to use a non-default summary index, nothing works.

My other problem was that my search head was not forwarding any data to the indexers. Once I configured that, and stopped using si* commands, my summary index of "ops_summary" started populating fine.

Thanks again to everyone who contributed.

View solution in original post

Reply
Solved! Jump to solution
Solution

bill_bartlett
Path Finder
‎04-13-2015 05:43 PM

Well, this has been solved.

First, using the summary index commands only works with the default "summary" index. If, as I had, you try to use a non-default summary index, nothing works.

My other problem was that my search head was not forwarding any data to the indexers. Once I configured that, and stopped using si* commands, my summary index of "ops_summary" started populating fine.

Thanks again to everyone who contributed.

Reply
Solved! Jump to solution

bhawkins1
Communicator
‎11-04-2016 04:33 AM

When you tried to use a non-default summary index, are you sure you first created the index? I'm having a similar issue to the one you describe above, but have not solved it using the solution you describe here. Best guess is that I have a bigger problem than you did.

0 Karma
Reply
Solved! Jump to solution

bbartlett_splun
Splunk Employee
Splunk Employee
‎11-04-2016 05:05 AM

This is a year and a half old, so I don't remember exactly how I set this up. In reading the other comments, it looks like initially I made the mistake of not creating the new index on the indexers.

Can you elaborate on your problem, or create a new question with the steps you've already went through so we can try to assist you?

Reply
Solved! Jump to solution

bhawkins1
Communicator
‎11-04-2016 05:09 AM

Thanks for the response. I think that a rename * in my query is mangling timestamps, which means that I can find the results of my report by searching the summary index with index=, but, confusingly, see "There are no results because the first scheduled run of the report has not completed." when I open the report itself. If I don't solve this myself I'll surely make a new post. Thanks again.

0 Karma
Reply
Solved! Jump to solution

nayakr_r
Loves-to-Learn
‎08-15-2020 04:39 AM

Hi All,

 

I have the similiar problem. I have configured the indexers in indexer servers and search head and forwarding from search to indexer is enabled.

Problem statement 1: Summary indexing view recent jobs are showing the results but those are not getting forwareded to indexer layer. As an aleternative sometime I run the jobs manually from view recent and it will push the data. Manual run is working fine but auto excecution is not working.

 

Problem statement 2: Lets say all the summary indexing working fine. I have noticed after restart of search head summary indexing is stopped working.

As an alternative whenever I restart search head I go and refresh the summary indexing jobs manually.

 

These 2 are critical problems I'm facing in splunk summary indexing jobs.

Could someone guide me resolve the issue

 

 

Thanks,

Nayak

0 Karma
Reply
Solved! Jump to solution

bill_bartlett
Path Finder
‎04-07-2015 10:31 AM

UPDATE: I've tried with the default index and it behaves in the same way. I've also tried using '| top | collect index=xxxx' instead of sitop, and it still behaves the same way with nothing being written to the summary index.

Checking the results on "view recent" runs, the table is generated, and the output is what I'd expect to see.

0 Karma
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎04-06-2015 06:23 PM

Hi;
At the level of choice of the start time and end time of your summary indexing, instead to use this:
start time: -6m end time: -1m
Use this
start time: -6m@m end time: -1m@m

Reply
Solved! Jump to solution

bill_bartlett
Path Finder
‎04-06-2015 10:19 PM

Thanks, NOUMSSI. That's a good point on my oversight. I don't think that's contributing to my problem, but I should clean up the start & end times as you suggest.

0 Karma
Reply
Solved! Jump to solution

NOUMSSI
Builder
‎04-07-2015 04:20 AM

Ok.
try and let me know if there is something else

0 Karma
Reply
Solved! Jump to solution

bill_bartlett
Path Finder
‎04-07-2015 08:57 AM

I changed the time, but the problem still persists. I see nothing when I search the "ops_summary" index.

0 Karma
Reply
Solved! Jump to solution

dolivasoh
Contributor
‎04-06-2015 02:18 PM

Are you doing this in a distributed environment?

0 Karma
Reply
Solved! Jump to solution

bill_bartlett
Path Finder
‎04-06-2015 02:31 PM

Yes, there are two indexers configured in distributed search.

0 Karma
Reply
Solved! Jump to solution

bill_bartlett
Path Finder
‎04-06-2015 03:32 PM

following up on this -- I had assumed I could summarize on the search head and search there as well without forwarding to the indexers. Is that not the case?

This is a fairly small deployment (~50GB/day) and everything is run within EC2 on EBS volumes, so data availability/replication isn't a major concern. (backed up to S3 via snapshots)

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎04-07-2015 09:04 AM

Are you forwarding data to indexers from search head?

If you are forwarding data to indexers from search head then "ops_summary" index must be present on indexers as well.

0 Karma
Reply
Solved! Jump to solution

bill_bartlett
Path Finder
‎04-07-2015 09:13 AM

harsmarvania57 - I am not forwarding data on the search head. I created those indexes on the two indexers as well just in case I missed something, but that hasn't helped either.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...