Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the earliest and latest for running a backfill script in realtime?

Dark_Ichigo
Builder
‎05-30-2012 10:00 PM

I want to run a backfill script to create a summary index, I want to do this in realtime!

I have tried using the rt but it doesnt seem to work as I have seen other questions about this only working under times.conf.

How can I run a backfill script in realtime, I would Like an example and not just what I need to put in the limits.conf

Thanks

0 Karma
Reply

daskuntal
Path Finder
‎08-17-2012 01:56 PM

Yes, you already answered your question. I believe what you are trying to do is exactly what a Summary Indexed search is supposed to do. Perform a scheduled search to populate the summary index. The problem with taht is, you will only start fillign up the index from the moment you created & started the running the Search.

What backfill script does is goes back in time & pre-fills the Summary Index with data from whoever many months you want to go back to.

Hope that clarifies your question.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-30-2012 10:44 PM

It's not possible to create a summary index in real time.

0 Karma
Reply

Dark_Ichigo
Builder
‎05-30-2012 11:31 PM

I want to run a backfill script to populate my summary index, the backfill script runs everyday via a cron job.

Can this be done without a backfill script and just a scheduled saved search with summary indexing enabled?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-30-2012 11:15 PM

I don't think I understand what you mean by backfill, or what you expect backfill is supposed to do.

0 Karma
Reply

Dark_Ichigo
Builder
‎05-30-2012 10:50 PM

Then whats the point of running a Backfill if you can just schedule a saved to populate a summary index?

Whats the closest to running a summary index in realtime?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...