Databases Reference
In-Depth Information
Let's break down these arguments in the following manner:
•
./splunk cmd
: This essentially sets environment variables so that whatever
runs next has the appropriate settings to find Splunk's libraries and included
Python modules.
•
python fill_summary_index.py
: This runs the script itself using the
Python executable and modules included with the Splunk distribution.
•
-app is_app_one
: This is the name of the app that contains the summary
populating queries in question.
•
-name "summary - count by user"
: The name of the query to run.
*
will
run all summary queries contained in the app specified.
•
-et -30d
: This is the earliest time to consider. The appropriate times are
determined and used to populate the summary index.
•
-lt now
: This is the latest time to consider.
•
-j 8
: This determines how many queries to run simultaneously.
•
-dedup true
: This is used to determine whether there are no results already
for each slice of time. Without this flag, you could end up with duplicate
entries in your summary index. For some statistics this wouldn't matter, but
for most it would.
If you are concerned that you have summary data that is incomplete,
perhaps because summary events were produced while an indexer
was unavailable, you should investigate the
delete
command to
remove these events first. The
delete
command is not efficient,
and should be used sparingly, if at all.
•
-auth admin:changeme
: The
auth
to run the query.
When you run this script, it will run the query with the appropriate times, as if
the query had been run at those times in the past. This can be a very slow process,
particularly if the number of slices is large. For instance, slices every 5 minutes for
a month would be
30 * 24 * (60/5) = 8,640
queries.
Search WWH ::
Custom Search