Solved: Re: Why do my summary index events have maxtime="5...

Lowell · ‎05-14-2010

Since upgrading to splunk 4.1, all of my summary indexing saved searches now include following term stuck on the end of every event.

,maxtime="5m"

I can't find the field maxtime or the value 5m in savedsearches.conf and certainly my saved searches are not all scheduled to run every 5 minutes... So I'm not sure where any of this is coming from.....

Any ideas on what this is, what is means, or what value it's adding?

Ledion_Bitincka · ‎05-17-2010

My bad, I meant to say 4.1.3 (upcoming release). You can fix this by editing etc/system/default/alert_actions.conf (yes edit the default conf file since we don't want the change to survive upgrades which have the bug fixed)

replace the [summary_index] command

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"

with

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|(?:_.*))$)(.*)"}$"

Basically you're adding maxtime and inline to the list of keys that need to be ignored.

View solution in original post

hammon0u · ‎06-03-2010

I am runnng 4.1.2 and I am seeing maxtime="5m" added to all of my summary indexes as well. I do only see this when I populate a summary index using the saved search checkbox to create the summary. If I pipe the query to collect like "| collect index=test-index" I do not get the extra field.

Lowell · ‎06-04-2010

Yes. That is correct, and what you are seeing is explained by Ledion's answer. The command entry in the alert_actions.conf file is what is being used to generate the collect command which is what was causing the extra "maxtime" key to showup in the summary index. If you apply Ledion's fix you can make "maxtime" disappear completely in either summary indexing option, which to me seems preferable over updating all your summary indexing saved searches (guess it depends on how many you have.) But you are correct, you do have that option too.

Ledion_Bitincka · ‎05-17-2010

My bad, I meant to say 4.1.3 (upcoming release). You can fix this by editing etc/system/default/alert_actions.conf (yes edit the default conf file since we don't want the change to survive upgrades which have the bug fixed)

replace the [summary_index] command

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"

with

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|(?:_.*))$)(.*)"}$"

Basically you're adding maxtime and inline to the list of keys that need to be ignored.

Lowell · ‎05-17-2010

Thanks for the additional info and the workaround on top of that! I have to say that is some interesting "command template" syntax... I can kind of guess at what's going on, but it still has that mysterious and magical feel to it. Very fun. Thanks again!

Ledion_Bitincka · ‎05-15-2010

This was a (harmless) bug fixed in 4.1

Lowell · ‎05-17-2010

That's weird, I'm running 4.1.2 and I'm still seeing maxtime="5m" added to all my summary index events. And I never saw this in events from when I was running 4.0.x

Why do my summary index events have maxtime="5m"?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!