Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Summary Index

VijaySrrie
Builder
‎03-17-2021 11:46 PM

Hi,

I have a scheduled search where summary indexing is enabled

I also have a summary index created.

The output of the scheduled search is not send to summary index.

summar index = "test_summary"

Scheduled search name -  test_summary_report 

summary indexing is enabled

vijaysri_0-1616049927980.png

Cron schedule is set to run every minute.

 

What would be the issue?

 

 

0 Karma
Reply

VijaySrrie
Builder
‎03-18-2021 09:28 PM

@manjunathmeti  you can see the query has run and we are getting the results, and the results from the query is sent to the index, but when i search the index=test_summary, no results are seen.

vijaysri_0-1616127950790.png

vijaysri_1-1616128004450.png

 

0 Karma
Reply

manjunathmeti
Champion
‎03-18-2021 12:42 AM

hi @VijaySrrie,
1. Check the time period for the scheduled search test_summary_report and see if the search produces any results in that time period. You can check the event count for the scheduled search on the Activity >> Jobs page.

2. If you are getting results in the time period then use the collect command to push the search results to the summary index.

saved_search_query | collect index=test_summary sourcetype=test

 

If this reply helps you, an upvote/like would be appreciated.

 

0 Karma
Reply

VijaySrrie
Builder
‎03-18-2021 07:42 AM

@manjunathmeti  when I opened the scheduled search I could see the results

Scheduled search Query - | inputlookup lookup.csv

I tried the below query

 

saved_search_query | collect index=test_summary sourcetype=test

| inputlookup lookup.csv | collect index=test_summary  (This is not working) --> When I searched the index=test_summary (Time range: All time) - I was not getting any results

0 Karma
Reply

manjunathmeti
Champion
‎03-18-2021 10:02 AM

Check if the user has access to index test_summary.

0 Karma
Reply

VijaySrrie
Builder
‎03-18-2021 06:08 PM

@manjunathmeti  I am the user who created the Index, I have admin access

0 Karma
Reply

manjunathmeti
Champion
‎03-18-2021 11:52 PM

Try summarizing in another index:

| inputlookup noc | summaryindex index=main sourcetype=test
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top