Knowledge Management

Why is the "Enable summary indexing" option no longer available in 6.6.0?

sylim_splunk
Splunk Employee
Splunk Employee

I currently have several scheduled jobs which generate summarized data which gets inserted into the summary index. Then I upgraded to Splunk 6.6.0 and created a new summary report, but no longer is the "enable summary indexing" option available in the settings -> searches, reports, alerts -> report window.

Even the previous summary reports that I have configured don't have that option anymore. Even though they don't have the option, the previous ones continue to function correctly, gathering the summary data into the summary index. But the new one that I need to have working soon has no way for me to enable it's summary indexing.

1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

We are currently working on this to correct it. In the meantime could you please follow the manual steps?

  1. Create your searchs/reports/alerts.
  2. Then locate your config stanza in the savedsearches.conf, add the below;

action.summary_index = true
auto_summarize.dispatch.earliest_time ="set this by referencing the info from below"
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/SearchTimeModifiers

Then $ ./bin/splunk _internal call /servicesNS/"user"/search/saved/searches/_reload

View solution in original post

dcascione
Explorer

The "Edit Summary Indexing" Option appears to be missing in 7.24 as well...

0 Karma

the_wolverine
Champion

The solution is the save the search as a Report. Once you save it, you can go back in and edit it to see the option to enable Summary indexing. If you save it as an Alert, the summary indexing option is missing.

henriquelinsmey
Explorer

The same issue detected on the new Splunk Enterprise 7.2.6.
Any new workaround as I can't give up Alerts for Reports as Throttle is required in my solution.

0 Karma

rickybails
Loves-to-Learn Lots

I am still experiencing this problem in 6.6.5, i.e.
- the 'edit summary index' option in 'Settings -> searches, reports and alerts' is blank

0 Karma

Lowell
Super Champion

Is this broken again as of 7.0.1? The "Edit Summary Indexing" context menu for a report opens a blank box (no content), and for alerts, the appears to be no "Summary Indexing" alert action. What am I missing?

The above workaround only works if you have console (file-system) access. Setting those values via the "Advanced Edit" window has no effect.

the_wolverine
Champion

Yes they broke it again.

0 Karma

mikeydee77
Path Finder

It looks like I am facing this issue in 6.6.2. When saving a search I just get the following two dialog windows and enable summary indexing is not shown - or I can't see it. I have done this in earlier versions (4.5) without issue so I know roughly what I am doing.

alt text

alt text

sounds like might be a bug or am I missing something else?

0 Karma

cygnetix
Path Finder

It's not under "edit schedule". Find your search in "Searches, Reports, and Alerts", click edit and you should see a "Edit Summary Indexing" option in the drop down.

mikeydee77
Path Finder

Thanks for replying cygnetix. You are spot on.

In case anyone else needs it the menu is in ...

Settings > knowledge > searches,reports and alerts and it is in the edit menu.

sylim_splunk
Splunk Employee
Splunk Employee

We are currently working on this to correct it. In the meantime could you please follow the manual steps?

  1. Create your searchs/reports/alerts.
  2. Then locate your config stanza in the savedsearches.conf, add the below;

action.summary_index = true
auto_summarize.dispatch.earliest_time ="set this by referencing the info from below"
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/SearchTimeModifiers

Then $ ./bin/splunk _internal call /servicesNS/"user"/search/saved/searches/_reload

asusatapathy
Observer

Hi , Am using Splunk Enterprise Version:7.3.3. Still cant see drop down option for my saved search report even though I use below lines in my savedsearch.conf file.

 

action.summary_index = true

auto_summarize.dispatch.earliest_time = @w0

0 Karma

tvanry
Engager

This problem has been fixed in 6.6.2.

0 Karma

osunjio
New Member

When i tried selecting a summary index, the particular index i want is not listed, even though i have access to the index. i could perform search on the index to be use for summary index, but its not appearing as the list of option to select from when enabling summary index for a report. Some other indexes that i have access to are also not appearing.. pls help

0 Karma

bdenning2
Engager

You need to have your indexes.conf file (where the indexes are defined) on your search head. Alternatively, in later versions you can click "advanced" and update the search macro directly with (index=whatever).

0 Karma

dgthistle
New Member

Thanks tvanry!

0 Karma

dgthistle
New Member

Has summary indexing been fixed in 6.6.2?

0 Karma

tvanry
Engager

I can confirm that this has been fixed in 6.6.2.

0 Karma

jedwardgrow
New Member

In "$ ./bin/splunk _internal call /servicesNS//search/saved/searches/_reload", don't you need to specify the user who owns the saved search?

Should the reload call be:
$ ./bin/splunk _internal call /servicesNS/(user)/search/saved/searches/_reload

Note: I had to edit this to get the "(user)" to be saved properly in this comment. I assume splunk answers removed that from the original answer as well.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...