Knowledge Management

Why is the "Enable summary indexing" option no longer available in 6.6.0?

Splunk Employee
Splunk Employee

I currently have several scheduled jobs which generate summarized data which gets inserted into the summary index. Then I upgraded to Splunk 6.6.0 and created a new summary report, but no longer is the "enable summary indexing" option available in the settings -> searches, reports, alerts -> report window.

Even the previous summary reports that I have configured don't have that option anymore. Even though they don't have the option, the previous ones continue to function correctly, gathering the summary data into the summary index. But the new one that I need to have working soon has no way for me to enable it's summary indexing.

1 Solution

Splunk Employee
Splunk Employee

We are currently working on this to correct it. In the meantime could you please follow the manual steps?

  1. Create your searchs/reports/alerts.
  2. Then locate your config stanza in the savedsearches.conf, add the below;

action.summary_index = true
auto_summarize.dispatch.earliest_time ="set this by referencing the info from below"
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/SearchTimeModifiers

Then $ ./bin/splunk _internal call /servicesNS/"user"/search/saved/searches/_reload

View solution in original post

Explorer

The "Edit Summary Indexing" Option appears to be missing in 7.24 as well...

0 Karma

Champion

The solution is the save the search as a Report. Once you save it, you can go back in and edit it to see the option to enable Summary indexing. If you save it as an Alert, the summary indexing option is missing.

The same issue detected on the new Splunk Enterprise 7.2.6.
Any new workaround as I can't give up Alerts for Reports as Throttle is required in my solution.

0 Karma

Observer

I am still experiencing this problem in 6.6.5, i.e.
- the 'edit summary index' option in 'Settings -> searches, reports and alerts' is blank

0 Karma

Super Champion

Is this broken again as of 7.0.1? The "Edit Summary Indexing" context menu for a report opens a blank box (no content), and for alerts, the appears to be no "Summary Indexing" alert action. What am I missing?

The above workaround only works if you have console (file-system) access. Setting those values via the "Advanced Edit" window has no effect.

Champion

Yes they broke it again.

0 Karma

Explorer

It looks like I am facing this issue in 6.6.2. When saving a search I just get the following two dialog windows and enable summary indexing is not shown - or I can't see it. I have done this in earlier versions (4.5) without issue so I know roughly what I am doing.

alt text

alt text

sounds like might be a bug or am I missing something else?

0 Karma

Path Finder

It's not under "edit schedule". Find your search in "Searches, Reports, and Alerts", click edit and you should see a "Edit Summary Indexing" option in the drop down.

0 Karma

Explorer

Thanks for replying cygnetix. You are spot on.

In case anyone else needs it the menu is in ...

Settings > knowledge > searches,reports and alerts and it is in the edit menu.

0 Karma

Splunk Employee
Splunk Employee

We are currently working on this to correct it. In the meantime could you please follow the manual steps?

  1. Create your searchs/reports/alerts.
  2. Then locate your config stanza in the savedsearches.conf, add the below;

action.summary_index = true
auto_summarize.dispatch.earliest_time ="set this by referencing the info from below"
https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/SearchTimeModifiers

Then $ ./bin/splunk _internal call /servicesNS/"user"/search/saved/searches/_reload

View solution in original post

Engager

This problem has been fixed in 6.6.2.

0 Karma

New Member

When i tried selecting a summary index, the particular index i want is not listed, even though i have access to the index. i could perform search on the index to be use for summary index, but its not appearing as the list of option to select from when enabling summary index for a report. Some other indexes that i have access to are also not appearing.. pls help

0 Karma

Engager

You need to have your indexes.conf file (where the indexes are defined) on your search head. Alternatively, in later versions you can click "advanced" and update the search macro directly with (index=whatever).

0 Karma

New Member

Thanks tvanry!

0 Karma

New Member

Has summary indexing been fixed in 6.6.2?

0 Karma

Engager

I can confirm that this has been fixed in 6.6.2.

0 Karma

New Member

In "$ ./bin/splunk _internal call /servicesNS//search/saved/searches/_reload", don't you need to specify the user who owns the saved search?

Should the reload call be:
$ ./bin/splunk _internal call /servicesNS/(user)/search/saved/searches/_reload

Note: I had to edit this to get the "(user)" to be saved properly in this comment. I assume splunk answers removed that from the original answer as well.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!