|
Hi folks, Running Splunk v4.1.4 on x64 Linux. I have around 7 summary-indexing saved-reports set to run hourly and write their results into index=summary. Their all configured identically, their just searching for different logs. Each job is configured to run with the basic scheduler every hour, and the summary index box is selected and the index selected for the summary is summary (the default). I have about 4-graphs and these all summarize and write to index=summary just fine. I can search index=summary and see the results. However i have another set of graphs configured identically, and these seem to run but refuse to write anything to index=summary. I can tell they've run because in index=_internal it tells me that the saved-search ran, status=successful, and even returned results. The alert_action is also "summary_index" which tells me Splunk knows it should write to summary=index, it just does not for some of the graphs. Currently, all 7 saved reports are configured to run every hour on the hour. I'm thinking of skewing the graphs, as i suspect i may have hit a concurrency restriction, but i would think if that was the case i shouldnt be seeing status=successful in index=_internal. I've looked under the Status dropdown under Scheduling errors and thats clean. Has anyone come across this, or have any ideas of further things i can check? My next test is to skew the saved-reports so they dont all run at once, see if that helps. Any thoughts/idea's would be appreciated! Chris. |
|
Sorry folks, forgot to update this question with the eventual answer :) This turned out to be a bug (which i havent tested has been fixed, but i assume it has) with having certain characters in the title of a saved-search. Searches that had a '/' character in the name did not run, which is why i saw what i saw. Replacing the offending character allowed the saved-search to run as normal. I believe this should be fixed now in most recent versions of Splunk. |
|
So you are saying that the Is it always the same saved searches that fail to write anything to the summary index, or is it different ones at different times? You should be able to see that by running a search like this: BTW, staggering your saved searches is a good idea in any case. Also keep in mind that moving the scheduled time doesn't have to change the time window you are summarizing; you can setup the timeframe still be full hour intervals using |
|
Thanks for the search - it's an easy-to-read view of what i was seeing. Here's a summarized version. Reports A-D work ok, Reports E, F, G, do not write to the summary index. Ran the above search over 7-days of data.
Seems E & F have non-zero minimum's, and G is min=0, max=0. Very mixed results. I take your point on the delayed saved-searches. I'll adjust the schedule as mentioned. Thanks, Chris. |