Databases Reference
In-Depth Information
Sometimes you have no idea when your logs will be indexed,
as when they are delivered in batches on unreliable networks.
This is what I would call "unpredictable latency". For one possible
solution, take a look at the app
indextime search
available at
http://splunkbase.com
.
How and when to backfill summary data
If you are building reports against summary data, you of course need enough time
represented in your summary index. If your report represents only a day or two,
then you can probably just wait for the summary to have enough information. If you
need the report to work sooner rather than later, or the time frame is longer, then
you can backfill your summary index.
Using fill_summary_index.py to backfill
The
fill_summary_index.py
script allows you to backfill the summary index
for any time period you like. It does this by running the saved searches you have
defined to populate your summary indexes, but for the time periods you specify.
To use the script, follow the given procedure:
1.
Create your scheduled search, as detailed previously in the
Populating
summary indexes with saved searches
section.
2.
Log in to the shell on your Splunk instance. If you are running a distributed
environment, log in to the search head.
3.
Change directories to the Splunk
bin
directory.
cd $SPLUNK_HOME/bin
.
$SPLUNK_HOME
is the root of your Splunk installation. The default installation
directory is
/opt/splunk
on Unix operating systems, and
c:\Program
Files\Splunk
on Windows.
4.
Run the
fill_summary_index
command. An example from inside the script
is as follows:
./splunk cmd python fill_summary_index.py -app is_app_one -name
"summary - count by user" -et -30d -lt now -j 8 -dedup true -auth
admin:changeme
Search WWH ::
Custom Search