Solved: Re: Why is the "Enable summary indexing" option no...

sylim_splunk · ‎05-16-2017

I currently have several scheduled jobs which generate summarized data which gets inserted into the summary index. Then I upgraded to Splunk 6.6.0 and created a new summary report, but no longer is the "enable summary indexing" option available in the settings -> searches, reports, alerts -> report window.

Even the previous summary reports that I have configured don't have that option anymore. Even though they don't have the option, the previous ones continue to function correctly, gathering the summary data into the summary index. But the new one that I need to have working soon has no way for me to enable it's summary indexing.

sylim_splunk · ‎05-16-2017

We are currently working on this to correct it. In the meantime could you please follow the manual steps?

Create your searchs/reports/alerts.
Then locate your config stanza in the savedsearches.conf, add the below;

action.summary_index = true
auto_summarize.dispatch.earliest_time ="set this by referencing the info from below"
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/SearchTimeModifiers

Then $ ./bin/splunk _internal call /servicesNS/"user"/search/saved/searches/_reload

View solution in original post

dcascione · ‎10-30-2019

The "Edit Summary Indexing" Option appears to be missing in 7.24 as well...

the_wolverine · ‎10-18-2018

The solution is the save the search as a Report. Once you save it, you can go back in and edit it to see the option to enable Summary indexing. If you save it as an Alert, the summary indexing option is missing.

henriquelinsmey · ‎05-16-2019

The same issue detected on the new Splunk Enterprise 7.2.6.
Any new workaround as I can't give up Alerts for Reports as Throttle is required in my solution.

rickybails · ‎01-05-2018

I am still experiencing this problem in 6.6.5, i.e.
- the 'edit summary index' option in 'Settings -> searches, reports and alerts' is blank

Lowell · ‎01-04-2018

Is this broken again as of 7.0.1? The "Edit Summary Indexing" context menu for a report opens a blank box (no content), and for alerts, the appears to be no "Summary Indexing" alert action. What am I missing?

The above workaround only works if you have console (file-system) access. Setting those values via the "Advanced Edit" window has no effect.

the_wolverine · ‎10-18-2018

Yes they broke it again.

mikeydee77 · ‎09-18-2017

It looks like I am facing this issue in 6.6.2. When saving a search I just get the following two dialog windows and enable summary indexing is not shown - or I can't see it. I have done this in earlier versions (4.5) without issue so I know roughly what I am doing.

sounds like might be a bug or am I missing something else?

cygnetix · ‎09-18-2017

It's not under "edit schedule". Find your search in "Searches, Reports, and Alerts", click edit and you should see a "Edit Summary Indexing" option in the drop down.

mikeydee77 · ‎09-19-2017

Thanks for replying cygnetix. You are spot on.

In case anyone else needs it the menu is in ...

Settings > knowledge > searches,reports and alerts and it is in the edit menu.

sylim_splunk · ‎05-16-2017

We are currently working on this to correct it. In the meantime could you please follow the manual steps?

Create your searchs/reports/alerts.
Then locate your config stanza in the savedsearches.conf, add the below;

action.summary_index = true
auto_summarize.dispatch.earliest_time ="set this by referencing the info from below"
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/SearchTimeModifiers

Then $ ./bin/splunk _internal call /servicesNS/"user"/search/saved/searches/_reload

asusatapathy · ‎08-18-2021

Hi , Am using Splunk Enterprise Version:7.3.3. Still cant see drop down option for my saved search report even though I use below lines in my savedsearch.conf file.

action.summary_index = true

auto_summarize.dispatch.earliest_time = @w0

tvanry · ‎07-10-2017

This problem has been fixed in 6.6.2.

osunjio · ‎08-30-2017

When i tried selecting a summary index, the particular index i want is not listed, even though i have access to the index. i could perform search on the index to be use for summary index, but its not appearing as the list of option to select from when enabling summary index for a report. Some other indexes that i have access to are also not appearing.. pls help

bdenning2 · ‎08-30-2017

You need to have your indexes.conf file (where the indexes are defined) on your search head. Alternatively, in later versions you can click "advanced" and update the search macro directly with (index=whatever).

dgthistle · ‎07-10-2017

Thanks tvanry!

dgthistle · ‎07-10-2017

Has summary indexing been fixed in 6.6.2?

tvanry · ‎07-10-2017

I can confirm that this has been fixed in 6.6.2.

jedwardgrow · ‎06-25-2017

In "$ ./bin/splunk _internal call /servicesNS//search/saved/searches/_reload", don't you need to specify the user who owns the saved search?

Should the reload call be:
$ ./bin/splunk _internal call /servicesNS/(user)/search/saved/searches/_reload

Note: I had to edit this to get the "(user)" to be saved properly in this comment. I assume splunk answers removed that from the original answer as well.

Why is the "Enable summary indexing" option no longer available in 6.6.0?

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake