Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Scheduled report not working as expected when collected to a new Summary index

Prasobh
Loves-to-Learn
‎12-12-2024 11:01 PM

Hi Team,

To reduce the time taken to load my Splunk dashboard, I created a new summary index to collect the events which retrieves the past 30 days of events and scheduled the same report to run every hour and "enabled the summary indexing" as per the documentation: Create a summary index in Splunk Web - Splunk Documentation

However, while checking the index, I could see that the data ingestion is not taking place as per the scheduled report.
Please find the attached screenshots for additional reference. Looking forward for a workaround or a solution.

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎12-22-2024 06:58 PM

I am sure this is documented somewhere but it catches everybody the first time.  It is not enough to just create the index on the indexers; you must also instantiate a dummy index on the Search Head(s), too!  If you do not, "collect" (wheter explicitly in the SPL or as an alert action) will not work AND will not generate any kind of error.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-16-2024 02:33 AM

Please find the requested screenshots

0 Karma
Reply

PaulPanther
Motivator
‎12-13-2024 12:32 AM

Please share the screenshots and the search that you use to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-16-2024 02:32 AM

Report scheduleReport scheduleSearch querySearch queryIndexIndexSummary indexSummary index

0 Karma
Reply

PaulPanther
Motivator
‎12-20-2024 03:11 AM

Remove the collect command in your search query. The enabled summary indexing is enough to fill the summary index.

0 Karma
Reply

Prasobh
Loves-to-Learn
‎12-21-2024 11:58 PM

Thank you for the update @PaulPanther .
As advised, i removed the collect command from my search query.

Prasobh_0-1734853987148.png

Even then, I am not able to get the events in the summary index. This search is scheduled to run every hour, even then the latest events, I could see is 10 days ago and not 1 hour. Scheduled report is not ingesting events to the summary index as i could observe.

Prasobh_1-1734854178138.png

Prasobh_2-1734854235473.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top