I have this simple search: search index="summary" revenue=daily | timechart avg(daily) by sitename ...which as you can probably tell searches in a summary index through data about daily revenue. In the job inspector, it's telling me "Specified field(s) missing from results: 'daily'" even though there are over 44,000 events with the field in it, like this (some fields omitted): 06/25/2012 15:00:00, search_name="Daily Revenue by Site", search_now=1340663400.000, info_min_time=1340661600.000, info_max_time=1340663400.000, info_search_time=1340663434.230, daily="56.03", sitename="foo.com", revenue="daily" What's going on? Do I need to do something special for summary indexes? Aren't they designed to work transparently like any other kind of index? EDIT: The search that adds to the index looks like: index="billing" sourcetype="billing_log" | bucket _time span=1h | sistats sum(amt) by sitename | rename psrsvd_sm_amt as daily I also thought maybe it had to do with the rename, so in the search consuming the summary index, I did some dummy searches on some of the auto-generated fields like psrsvd_ss_amt. Still no results. THE GIST: What I'm really hoping to do is to identify the sites whose revenue for the last 24 hours is 10% <> the historical average FOR THAT SITE. For this to happen I need the historical averages for each site, and I need them up to date. So the simple search at the top is really an intermediate step, but every approach I can think of somehow involves a summary index of daily revenue and/or its average. And if I can't even search through the fields in the summary index, I'm stuck. ... View more