Reporting
Highlighted

Why are scheduled searches not working in our newly created index?

Path Finder

Why am I unable to write to a new index

I have created a new index through the UI, by going to:

Settings > Data > Indexes > New Index

Filling out the name and then essentially leaving everything else as default.

I then wrote a scheduled search to write to this index. The search produces results when I run it in the search bar, and also works when I set it to write to other previously existing indexes. It only doesn't work when I try to write to a newly created index (I have tried with a few).

Is there a step I need to do to allow data to be written into a new index? What am I missing here?

Thanks,

Sam

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Influencer

HI,

can you post your search?

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Path Finder

Hi,

It looks like this:

index=iis a_app=<app> a_action=<action>
| eventstats count min(time_taken) as min_tt max(time_taken) as max_tt avg(time_taken) as a_tt perc90(time_taken) as p_tt by a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| sistats max(_time) max(count) max(a_tt)  max(p_tt) max(min_tt) max(max_tt) by a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| fields + psrsvd_nx__time   psrsvd_nx_a_tt psrsvd_nx_count psrsvd_nx_min_tt psrsvd_nx_max_tt psrsvd_nx_p_tt a_customer a_customer_code date_month date_mday date_hour sc_status c_ip cs_host sc_bytes a_version
| rename psrsvd_nx_a_tt AS "AverageTimeTaken" 
| rename psrsvd_nx_count AS "CountOfEvents" 
| rename psrsvd_nx_max_tt AS "MaxTimeTaken" 
| rename psrsvd_nx_p_tt AS "90thPercentileTimeTaken"
| rename psrsvd_nx_min_tt AS "MinTimeTaken" 
0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Path Finder

However, I have also tried just doing a simple one, like this:

index=iis a_app=<app> a_action=<action>
| fields +  a_customer a_customer_code  sc_status c_ip cs_host sc_bytes a_version _time time_taken date_month date_mday date_hour
0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Influencer

ok so I don´t get what you mean by "writing to an index" despide a summary index, you are not writing to an index by executing a search.

What is the error that is displayed when you run this search? what is your expected result?

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Path Finder

Essentially I am trying to do what I would do to a summary index but on a fresh one, is it not the same principle? Where I enable summary indexing in the search and then select and index?

There is no error, the search runs as normal (even gives results) but does not write anything to the index I request.

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Influencer

Did you configure summary indexing on this index?

reffer to http://docs.splunk.com/Documentation/Splunk/7.2.1/Knowledge/Configuresummaryindexes

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

SplunkTrust
SplunkTrust

Are you in a distributed environment? If so, make sure you create the index on all indexers.

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

Path Finder

How would I ensure the index is on all indexers?

0 Karma
Highlighted

Re: Why are scheduled searches not working in our newly created index?

SplunkTrust
SplunkTrust

By checking that you distributed the relevant indexes.conf to all indexers.

0 Karma