Re: Not getting data from summary index

1200125 · ‎03-26-2020

We have created a summary Index in Splunk with a cron schedule to run every 15 minutes but while using that Summary Index ad setting the time as today ,We are not getting any data,WHat could be the reason ?

woodcock · ‎03-26-2020

Even though the Summary Index exists on the Indexers, if you do not have an indexes.conf file on your Search Head that defines Webtop_UCF_Operations then you will NOT be able to write to it. Read from it, yes, but not write. Yes, I am totally serious.

rashi83 · ‎03-27-2020

What if summary index exists on SH only . Issue is the scheduled search doesn't run every time even with job priority set as Highest. Is this happening because its been run too frequently ?

OR should this summary index be created in Indexer first ?
@woodcock

woodcock · ‎03-27-2020

Create a real index on the indexers that will get the data and a fake one on the Search Head that will never get data.

rashi83 · ‎03-27-2020

@woodcock - that mean scheduled search / report will also need to be scheduled on Indexer itself instead of SH.

Is there any documentation in particular from Splunk about this .

woodcock · ‎03-27-2020

NO! Your Search Head should be configured as per best-practices to forward all events to the Indexers. All events from anywhere/everywhere go to Indexers.

Not getting data from summary index

summary indexing

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!