Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

summary index not populated

sbsbb
Builder
‎02-16-2013 11:51 AM

I try to make a search with a timechart , run it every 15 minutes, and indexing the result.

Query works, and returns data, but if I try to search
index=summary search_name="scheduled_search_name"

I get no data ?

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-18-2013 10:46 AM

Yes, if you've run your search as you've said, with summary indexing selected and a valid index selected to write to, then you should be okay. It is possible that

  • you don't have permissions to the index your wrote to, as you suggested
  • the index doesn't exist so the summary couldn't be saved
  • the summary is forwarded to a different indexer, and you're not set up to query that indexer (which is a complicated version of the permissions problem essentially)
  • there are deeper config issues, though those would be considered abnormal
Reply

sbsbb
Builder
‎02-18-2013 01:01 AM

Thank you so much for telling me I'm a dumb newbie, that helps a lot !

I think I can't see the logs because of user policy, we have a big shared system, so I don't have access to everything.

I've scheduled the search, (and I see it has been executed), and checked "Summary Indexing" "Enabled"
If I need something in my query for having this to work, it maybe what I'm missing....

0 Karma
Reply

Ayn
Legend
‎02-18-2013 12:50 AM

First of all, I don't see anything that shows you actually are writing events to a summary index in your search. You only say that you have a query that returns results.

Secondly, if you don't see ANY of the logs yannK is talking about you're in some serious trouble (or more likely, don't really know your way around Splunk, which can be understandable but is the real problem that should be addressed first before you dive into this more thoroughly)

0 Karma
Reply

sbsbb
Builder
‎02-17-2013 10:16 PM

I made a scheduled search, ending with | timechart span="1m" count by field1... The query returns results, but searching the index ist empty...

I can't see any of the logs specified in the first answer.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-16-2013 12:28 PM

1 - verify that the scheduled search ran

index=_internal source=*scheduler.log

2 -check in for warnings about the spooler

index=_internal source=*splunkd.log "*spool*"

3- double check if your server is indexing locally or forwarding to another indexer

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-16-2013 12:09 PM

You probably need to provide more information than this to get a helpful answer. For example, how are you "indexing the result"? Is there anything in the summary at all? etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top