Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I only getting partial results for a summary index

kiamco
Path Finder
‎05-22-2018 08:47 AM

I have this report with this query but I am only getting partial results, it was ran once and from start of year to current date. this index would probably end up with around ~100 million logs. did the report get stopped because of the sheer volume of this report?

(host=pnr-proxy-prod* OR host=master*.menlosecurity.com* OR host=pnr-webui-prod*)
source=**
(level=* OR "error:" OR "warn:" OR "[warn]" OR "WARNING" )
|bucket _time span=1d
|eval no_event= if((isnull(event) AND (level="ERROR" OR level="WARNING")) ,_raw,null())
|rex field=host "^(master-|safemail-)?(.*-prod-)?(?[0-9-]+[0-9])"

|table _time, level,event, source,ms_version, no_event

|collect index=summary source=summary_all_events

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎05-22-2018 09:06 AM

That could be the case. If this is going to be a regular scheduled summary indexing (e.g. daily/hourly) why not using summary indexing backfill to summarize historical data. Also, are you missing any kind of aggregation command here or you want to put all events to summary index?

Reply

kiamco
Path Finder
‎05-22-2018 09:23 AM

Im not familiar with using the splunk CLI and might not have access to that . yeah i just need to put all events into an index because one of my dashboard stopped running because it was having a hard time processing the large volume of data in the past few days.

0 Karma
Reply

somesoni2
Revered Legend
‎05-22-2018 10:40 AM

Since you don't have access to CLI than you should run teh above search but divide the total time in different buckets, e.g. instead of running the query Year to Date, run for 1 week at a time.

So you're basically just collecting all Warning/Error logs and putting it on one index/source for faster searching? Are you searching for the same in all indexes/sources/sourcetypes?

0 Karma
Reply

kiamco
Path Finder
‎05-22-2018 10:54 AM

yup basically just doing it for faster search and yea im searching in all sources because I might as well create a summary index that can also helped with current and future dashboards

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...