Solved: Malformed Saved Search Error when setting up Summa...

lweiss · ‎02-15-2023

I received an error stating "This saved search cannot perform summary indexing because it has a malformed search." while I was setting up summary indexing through the UI.

The SPL in my saved search included a lookup and a subsearch to dynamically set the earliest and latest values for the main search.

From what I found researching the error, the issue is related to passing the earliest and latest values back to the main search. It took me a while to solve this so I thought I'd post it here to help anyone else seeing this error.

lweiss · ‎02-15-2023

Here's the solution I found as an alternative to enabling summary indexing through the UI.

I added a collect command to the end of the query to write the results to the specified summary index so the UI wasn't needed to set up the summary indexing.

The format for the collect command is:

| collect index=<name of target summary index> source=<name of saved search generating the results>

View solution in original post

lweiss · ‎02-15-2023

Here's the solution I found as an alternative to enabling summary indexing through the UI.

I added a collect command to the end of the query to write the results to the specified summary index so the UI wasn't needed to set up the summary indexing.

The format for the collect command is:

| collect index=<name of target summary index> source=<name of saved search generating the results>

Malformed Saved Search Error when setting up Summary Indexing

saved search

summary indexing

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life