Since upgrading to splunk 4.1, all of my summary indexing saved searches now include following term stuck on the end of every event.
,maxtime="5m"
I can't find the field maxtime
or the value 5m
in savedsearches.conf
and certainly my saved searches are not all scheduled to run every 5 minutes... So I'm not sure where any of this is coming from.....
Any ideas on what this is, what is means, or what value it's adding?
My bad, I meant to say 4.1.3 (upcoming release). You can fix this by editing etc/system/default/alert_actions.conf (yes edit the default conf file since we don't want the change to survive upgrades which have the bug fixed)
replace the [summary_index] command
command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"
with
command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|(?:_.*))$)(.*)"}$"
Basically you're adding maxtime and inline to the list of keys that need to be ignored.
I am runnng 4.1.2 and I am seeing maxtime="5m" added to all of my summary indexes as well. I do only see this when I populate a summary index using the saved search checkbox to create the summary. If I pipe the query to collect like "| collect index=test-index" I do not get the extra field.
Yes. That is correct, and what you are seeing is explained by Ledion's answer. The command
entry in the alert_actions.conf
file is what is being used to generate the collect
command which is what was causing the extra "maxtime" key to showup in the summary index. If you apply Ledion's fix you can make "maxtime" disappear completely in either summary indexing option, which to me seems preferable over updating all your summary indexing saved searches (guess it depends on how many you have.) But you are correct, you do have that option too.
My bad, I meant to say 4.1.3 (upcoming release). You can fix this by editing etc/system/default/alert_actions.conf (yes edit the default conf file since we don't want the change to survive upgrades which have the bug fixed)
replace the [summary_index] command
command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"
with
command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|(?:_.*))$)(.*)"}$"
Basically you're adding maxtime and inline to the list of keys that need to be ignored.
Thanks for the additional info and the workaround on top of that! I have to say that is some interesting "command template" syntax... I can kind of guess at what's going on, but it still has that mysterious and magical feel to it. Very fun. Thanks again!
This was a (harmless) bug fixed in 4.1
That's weird, I'm running 4.1.2 and I'm still seeing maxtime="5m"
added to all my summary index events. And I never saw this in events from when I was running 4.0.x