Knowledge Management

Why do my summary index events have maxtime="5m"?

Super Champion

Since upgrading to splunk 4.1, all of my summary indexing saved searches now include following term stuck on the end of every event.

,maxtime="5m"

I can't find the field maxtime or the value 5m in savedsearches.conf and certainly my saved searches are not all scheduled to run every 5 minutes... So I'm not sure where any of this is coming from.....

Any ideas on what this is, what is means, or what value it's adding?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

My bad, I meant to say 4.1.3 (upcoming release). You can fix this by editing etc/system/default/alert_actions.conf (yes edit the default conf file since we don't want the change to survive upgrades which have the bug fixed)

replace the [summary_index] command

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"

with

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|(?:_.*))$)(.*)"}$"

Basically you're adding maxtime and inline to the list of keys that need to be ignored.

View solution in original post

Explorer

I am runnng 4.1.2 and I am seeing maxtime="5m" added to all of my summary indexes as well. I do only see this when I populate a summary index using the saved search checkbox to create the summary. If I pipe the query to collect like "| collect index=test-index" I do not get the extra field.

0 Karma

Super Champion

Yes. That is correct, and what you are seeing is explained by Ledion's answer. The command entry in the alert_actions.conf file is what is being used to generate the collect command which is what was causing the extra "maxtime" key to showup in the summary index. If you apply Ledion's fix you can make "maxtime" disappear completely in either summary indexing option, which to me seems preferable over updating all your summary indexing saved searches (guess it depends on how many you have.) But you are correct, you do have that option too.

0 Karma

Splunk Employee
Splunk Employee

My bad, I meant to say 4.1.3 (upcoming release). You can fix this by editing etc/system/default/alert_actions.conf (yes edit the default conf file since we don't want the change to survive upgrades which have the bug fixed)

replace the [summary_index] command

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|maxresults|ttl|(?:_.*))$)(.*)"}$"

with

command = summaryindex addtime=true index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|(?:_.*))$)(.*)"}$"

Basically you're adding maxtime and inline to the list of keys that need to be ignored.

View solution in original post

Super Champion

Thanks for the additional info and the workaround on top of that! I have to say that is some interesting "command template" syntax... I can kind of guess at what's going on, but it still has that mysterious and magical feel to it. Very fun. Thanks again!

0 Karma

Splunk Employee
Splunk Employee

This was a (harmless) bug fixed in 4.1

0 Karma

Super Champion

That's weird, I'm running 4.1.2 and I'm still seeing maxtime="5m" added to all my summary index events. And I never saw this in events from when I was running 4.0.x

0 Karma