Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Summary Index

VijaySrrie
Builder
‎03-17-2021 11:46 PM

Hi,

I have a scheduled search where summary indexing is enabled

I also have a summary index created.

The output of the scheduled search is not send to summary index.

summar index = "test_summary"

Scheduled search name -  test_summary_report 

summary indexing is enabled

vijaysri_0-1616049927980.png

Cron schedule is set to run every minute.

 

What would be the issue?

 

 

0 Karma
Reply

VijaySrrie
Builder
‎03-18-2021 09:28 PM

@manjunathmeti  you can see the query has run and we are getting the results, and the results from the query is sent to the index, but when i search the index=test_summary, no results are seen.

vijaysri_0-1616127950790.png

vijaysri_1-1616128004450.png

 

0 Karma
Reply

manjunathmeti
Champion
‎03-18-2021 12:42 AM

hi @VijaySrrie,
1. Check the time period for the scheduled search test_summary_report and see if the search produces any results in that time period. You can check the event count for the scheduled search on the Activity >> Jobs page.

2. If you are getting results in the time period then use the collect command to push the search results to the summary index.

saved_search_query | collect index=test_summary sourcetype=test

 

If this reply helps you, an upvote/like would be appreciated.

 

0 Karma
Reply

VijaySrrie
Builder
‎03-18-2021 07:42 AM

@manjunathmeti  when I opened the scheduled search I could see the results

Scheduled search Query - | inputlookup lookup.csv

I tried the below query

 

saved_search_query | collect index=test_summary sourcetype=test

| inputlookup lookup.csv | collect index=test_summary  (This is not working) --> When I searched the index=test_summary (Time range: All time) - I was not getting any results

0 Karma
Reply

manjunathmeti
Champion
‎03-18-2021 10:02 AM

Check if the user has access to index test_summary.

0 Karma
Reply

VijaySrrie
Builder
‎03-18-2021 06:08 PM

@manjunathmeti  I am the user who created the Index, I have admin access

0 Karma
Reply

manjunathmeti
Champion
‎03-18-2021 11:52 PM

Try summarizing in another index:

| inputlookup noc | summaryindex index=main sourcetype=test
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...