Knowledge Management

backfill summary index one day at a time

Path Finder

I'm trying to back fill my summary index one day at a time because my current savesearch contains a lot of regular expressions and can only run 24 hours of data for it not to be truncated.

For example my data if from 01/01/2018 up to present.

So what I want is when i execute the script it will run for 01/01/2018 data. then after it finishes then will run again for 01/02/2018 data until I reach the date yesterday.

0 Karma

New Member

You can use the Python API to do so pretty easily. You just have the search with the collect or summaryindex command and use a loop to iterate. http://dev.splunk.com/python

0 Karma

Esteemed Legend

Your question makes no sense. Create a different populating search that will run every day for Last 24 hours and then run the backfill script over as many days as you like. It will run 1 day at a time, over and over.

0 Karma

Path Finder

What Im trying to do is. put in summary index my data of 01/01/2018 upto 06/30/2018 in one execution. I want to backfill them all in one day.

0 Karma

Esteemed Legend

And that is exactly what I told you how to do. Create a SI-populating search that covers Last 24 hours or Yesterday and the do backfill as described here, with the python script:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps