I'm trying to backfill my summary index with 2 months worth of data with a report that gives results from the last minute. This is my report:
action.email.useNSSubject = 1
action.summary_index = 1
action.summary_index._type = event
alert.track = 0
cron_schedule = */1 * * * *
dispatch.earliest_time = -1m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","Price","ID","Date","Time"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_app = myapp
request.ui_dispatch_view = search
schedule_priority = higher
search = index="myindex" sourcetype="mysource"
| append [ search index="myindex" sourcetype="mysource" earliest=-1mon@mon latest=@mon
| stats avg(Price) as past_avg by ID ]
| eventstats values(past_avg) as past_avg by ID
| where Price > past_avg
| stats values(*) as * by ID
| table ID, Price, past_avg
I tried to fill it using this command:
splunk cmd python fill_summary_index.py -app Myapp -name "Summary_Population" -et -2mon@mon -lt @mon -dedup true
but I get this error:
*** For saved search 'Summary_Populating' ***
Failed to get list of scheduled times for saved search 'Summary_Populating' (app = 'Myapp', error = '[HTTP 404] https://127.0.0.1:8089/servicesNS/Myusername/Myapp/saved/searches/Summary_Populating/scheduled_times?earliest_time=-mon%40mon&latest_time=%40now; [{'type': 'ERROR', 'code': None, 'text': 'Action forbidden.'}]'
No searches to run
Does anyone have any idea why is this occurring and how to fix it?
Stupid mistake, I misspelled the name of the app and didn't notice it until now.
Stupid mistake, I misspelled the name of the app and didn't notice it until now.
Hi @MidnightRun,
Try with the -owner option for searches that are owned by a specific user or role. And also provide -auth username:password option.
splunk cmd python fill_summary_index.py -app Myapp -name "Summary_Population" -et -2mon@mon -lt @mon -dedup true -owner admin -auth admin:password
Thank you for the reply, I tried that but I still get the same result.