Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my Global Summary Latest event value older than the last even in my system

Lionel
Splunk Employee
Splunk Employee
‎06-25-2010 05:27 PM

I am logged as Admin in my system and I noticed that the "Global Summary dashboard" does take into consideration all the events in my system.

Why not all the events in my system taking into account in the "Global Summary dashboard" as illustrated below?

Google Chrome
Uploaded with plasq's Skitch!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-25-2010 05:31 PM

I think this is just because the global number accounts for all indexes, and the search in the screenshot is only of index=mail.

Even if you've only set up data inputs for the "mail" index, you may have other data indexed into the default index of "main", and splunk always indexes a small but steady amount of metrics and other data into index="_internal"

If the _internal data is affecting that global number that would be less than ideal but hopefully it isnt:

log in as admin (or else you cannot see the internal index) search for 

index=_internal | head 100

and see if the latest event there matches the time shown on the dashboard. If it does, i think it's best considered as a bug and we can open a support case for it and try and get it fixed.

View solution in original post

Reply
Solved! Jump to solution

Lionel
Splunk Employee
Splunk Employee
‎06-25-2010 05:41 PM

The reason is because, the Global Summary Index calculate by default the event which are stored in the "main" index. In the example above, the more recent events were coming from another index (mail in the particular example) and it was not set up correctly under Roles.

To change that:

  • Login to Splunk
  • Click on Manager hyperlink (Top right corner)
  • Click on Access Control (right column)
  • Click on Roles
  • Click on Admin (or the relevant user)
  • Scroll down to the Default index section and make sure, all the indexes you are tracking are under the "selected indexes" column

Splunk Manager - Splunk 4.1.3 (80534)
Uploaded with plasq's Skitch!

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-25-2010 05:31 PM

I think this is just because the global number accounts for all indexes, and the search in the screenshot is only of index=mail.

Even if you've only set up data inputs for the "mail" index, you may have other data indexed into the default index of "main", and splunk always indexes a small but steady amount of metrics and other data into index="_internal"

If the _internal data is affecting that global number that would be less than ideal but hopefully it isnt:

log in as admin (or else you cannot see the internal index) search for 

index=_internal | head 100

and see if the latest event there matches the time shown on the dashboard. If it does, i think it's best considered as a bug and we can open a support case for it and try and get it fixed.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...