Solved: fill_summary_index.py is not doing dedup

luhadia_aditya · ‎01-09-2015

I am testing this script to be utilised in production and in my test-bed i found that this script is not doing the dedup, meaning even if the saved search, that populates the summary index, had run at a particular time (say 5 am), script is still triggering the search at the same moment when this time (5 am) falls in the -et #### -lt ##### range and writing the data in to summary index causing duplication >> affecting the stats badly.

Search trigger command --

/opt/splunk/bin/splunk cmd python fill_summary_index.py -app <app_name> -name '<saved_search_name>' -et 1420781400 -lt 1420788600 -dedup true -auth admin:<pwd>

I have already included the -dedup true argument.

I am aware that this -dedup true is different from the search command | dedup and its being triggered on search head (with forward data enabled to indexers) - Splunk 6.0.4 (build 207768)

Correct me if I am missing anything, thanks in advance!!

luhadia_aditya · ‎02-09-2015

Got the hack, was missing an argument of nolocal -

/opt/splunk/bin/splunk cmd python fill_summary_index.py -app -name -et -7d@d -lt @d -dedup true -nolocal true -auth admin:

View solution in original post

luhadia_aditya · ‎02-09-2015

Got the hack, was missing an argument of nolocal -

/opt/splunk/bin/splunk cmd python fill_summary_index.py -app -name -et -7d@d -lt @d -dedup true -nolocal true -auth admin:

fill_summary_index.py is not doing dedup

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Are you a member of the Splunk Community?

fill_summary_index.py is not doing dedup

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens