Knowledge Management

backfill summary index one day at a time

michaelrosello
Path Finder

I'm trying to back fill my summary index one day at a time because my current savesearch contains a lot of regular expressions and can only run 24 hours of data for it not to be truncated.

For example my data if from 01/01/2018 up to present.

So what I want is when i execute the script it will run for 01/01/2018 data. then after it finishes then will run again for 01/02/2018 data until I reach the date yesterday.

0 Karma

hallt2
New Member

You can use the Python API to do so pretty easily. You just have the search with the collect or summaryindex command and use a loop to iterate. http://dev.splunk.com/python

0 Karma

woodcock
Esteemed Legend

Your question makes no sense. Create a different populating search that will run every day for Last 24 hours and then run the backfill script over as many days as you like. It will run 1 day at a time, over and over.

0 Karma

michaelrosello
Path Finder

What Im trying to do is. put in summary index my data of 01/01/2018 upto 06/30/2018 in one execution. I want to backfill them all in one day.

0 Karma

woodcock
Esteemed Legend

And that is exactly what I told you how to do. Create a SI-populating search that covers Last 24 hours or Yesterday and the do backfill as described here, with the python script:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...