Hi Splunk team,
I have a scenario where i have a raw index and a summary index, and a scheduled search which is used to populate data from the raw index to summary index. My scheduled search runs on daily basis and fills the summary index, and every thing is working fine as expected.
Now here the problem is for Eg . if my raw data is updated with the newer portion of data on already passed days, I need to fill this as well in the summary index which I tried a backfill script for, but it give me proper results.
Example :
index="main" -- raw index
index="summary" - summary index
Assuming the main index has only Dec 12th data i.e with _time Dec 12th and summary generating search ran on dec 12 th and populated all the 12th data in summary index.
Now lets say Dec 15th , I had a few more data of Dec 12th which has come now from the forwarder and it has gone to the "main" index for Dec 12th. Now my issue is to fill in this newer portion of data in the summary index.
I have tried backfill and re-run the searches, but every time it's creating duplicates. I used the nolocal option as well, but no luck.
Any way to fill only the newer portion of data every time to a summary index?
manythanks,
Rakesh.
... View more