Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Scheduled report not working as expected when collected to a new Summary index

Prasobh
Loves-to-Learn
‎12-12-2024 11:01 PM

Hi Team,

To reduce the time taken to load my Splunk dashboard, I created a new summary index to collect the events which retrieves the past 30 days of events and scheduled the same report to run every hour and "enabled the summary indexing" as per the documentation: Create a summary index in Splunk Web - Splunk Documentation

However, while checking the index, I could see that the data ingestion is not taking place as per the scheduled report.
Please find the attached screenshots for additional reference. Looking forward for a workaround or a solution.

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎12-22-2024 06:58 PM

I am sure this is documented somewhere but it catches everybody the first time.  It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(s), too!  If you do not, "collect" (wheter explicitly in the SPL or as an alert action) will not work AND will not generate any kind of error.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-16-2024 02:33 AM

Please find the requested screenshots

0 Karma
Reply

PaulPanther
Motivator
‎12-13-2024 12:32 AM

Please share the screenshots and the search that you use to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-16-2024 02:32 AM

Report scheduleReport scheduleSearch querySearch queryIndexIndexSummary indexSummary index

0 Karma
Reply

PaulPanther
Motivator
‎12-20-2024 03:11 AM

Remove the collect command in your search query. The enabled summary indexing is enough to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-21-2024 11:58 PM

Thank you for the update @PaulPanther .
As advised, i removed the collect command from my search query.

Prasobh_0-1734853987148.png

Even then, I am not able to get the events in the summary index. This search is scheduled to run every hour, even then the latest events, I could see is 10 days ago and not 1 hour. Scheduled report is not ingesting events to the summary index as i could observe.

Prasobh_1-1734854178138.png

Prasobh_2-1734854235473.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top