Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Scheduled report not working as expected when collected to a new Summary index

Prasobh
Loves-to-Learn
‎12-12-2024 11:01 PM

Hi Team,

To reduce the time taken to load my Splunk dashboard, I created a new summary index to collect the events which retrieves the past 30 days of events and scheduled the same report to run every hour and "enabled the summary indexing" as per the documentation: Create a summary index in Splunk Web - Splunk Documentation

However, while checking the index, I could see that the data ingestion is not taking place as per the scheduled report.
Please find the attached screenshots for additional reference. Looking forward for a workaround or a solution.

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎12-22-2024 06:58 PM

I am sure this is documented somewhere but it catches everybody the first time.  It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(s), too!  If you do not, "collect" (wheter explicitly in the SPL or as an alert action) will not work AND will not generate any kind of error.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-16-2024 02:33 AM

Please find the requested screenshots

0 Karma
Reply

PaulPanther
Motivator
‎12-13-2024 12:32 AM

Please share the screenshots and the search that you use to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-16-2024 02:32 AM

Report scheduleReport scheduleSearch querySearch queryIndexIndexSummary indexSummary index

0 Karma
Reply

PaulPanther
Motivator
‎12-20-2024 03:11 AM

Remove the collect command in your search query. The enabled summary indexing is enough to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-21-2024 11:58 PM

Thank you for the update @PaulPanther .
As advised, i removed the collect command from my search query.

Prasobh_0-1734853987148.png

Even then, I am not able to get the events in the summary index. This search is scheduled to run every hour, even then the latest events, I could see is 10 days ago and not 1 hour. Scheduled report is not ingesting events to the summary index as i could observe.

Prasobh_1-1734854178138.png

Prasobh_2-1734854235473.png

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...