Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the earliest and latest for running a backfill script in realtime?

Dark_Ichigo
Builder
‎05-30-2012 10:00 PM

I want to run a backfill script to create a summary index, I want to do this in realtime!

I have tried using the rt but it doesnt seem to work as I have seen other questions about this only working under times.conf.

How can I run a backfill script in realtime, I would Like an example and not just what I need to put in the limits.conf

Thanks

0 Karma
Reply

daskuntal
Path Finder
‎08-17-2012 01:56 PM

Yes, you already answered your question. I believe what you are trying to do is exactly what a Summary Indexed search is supposed to do. Perform a scheduled search to populate the summary index. The problem with taht is, you will only start fillign up the index from the moment you created & started the running the Search.

What backfill script does is goes back in time & pre-fills the Summary Index with data from whoever many months you want to go back to.

Hope that clarifies your question.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-30-2012 10:44 PM

It's not possible to create a summary index in real time.

0 Karma
Reply

Dark_Ichigo
Builder
‎05-30-2012 11:31 PM

I want to run a backfill script to populate my summary index, the backfill script runs everyday via a cron job.

Can this be done without a backfill script and just a scheduled saved search with summary indexing enabled?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-30-2012 11:15 PM

I don't think I understand what you mean by backfill, or what you expect backfill is supposed to do.

0 Karma
Reply

Dark_Ichigo
Builder
‎05-30-2012 10:50 PM

Then whats the point of running a Backfill if you can just schedule a saved to populate a summary index?

Whats the closest to running a summary index in realtime?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...