Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Scheduled report not working as expected when collected to a new Summary index

Prasobh
Loves-to-Learn
3 weeks ago

Hi Team,

To reduce the time taken to load my Splunk dashboard, I created a new summary index to collect the events which retrieves the past 30 days of events and scheduled the same report to run every hour and "enabled the summary indexing" as per the documentation: Create a summary index in Splunk Web - Splunk Documentation

However, while checking the index, I could see that the data ingestion is not taking place as per the scheduled report.
Please find the attached screenshots for additional reference. Looking forward for a workaround or a solution.

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
a week ago

I am sure this is documented somewhere but it catches everybody the first time.  It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(s), too!  If you do not, "collect" (wheter explicitly in the SPL or as an alert action) will not work AND will not generate any kind of error.

0 Karma
Reply

Prasobh
Loves-to-Learn
2 weeks ago

Please find the requested screenshots

0 Karma
Reply

PaulPanther
Motivator
3 weeks ago

Please share the screenshots and the search that you use to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
2 weeks ago

Report scheduleReport scheduleSearch querySearch queryIndexIndexSummary indexSummary index

0 Karma
Reply

PaulPanther
Motivator
2 weeks ago

Remove the collect command in your search query. The enabled summary indexing is enough to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
2 weeks ago

Thank you for the update @PaulPanther .
As advised, i removed the collect command from my search query.

Prasobh_0-1734853987148.png

Even then, I am not able to get the events in the summary index. This search is scheduled to run every hour, even then the latest events, I could see is 10 days ago and not 1 hour. Scheduled report is not ingesting events to the summary index as i could observe.

Prasobh_1-1734854178138.png

Prasobh_2-1734854235473.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...