I'm trying to set up some summary indexes, but the summary index is missing random events. The scheduled search job is running, but the data is just not in the index.
For example:
Notice that the event for 11:09 is missing. Yet when I look in the job activity, the job fired off:
Note that the job at 11:10 fills in the summary index data for 11:09. Below is from the job inspection output. The times fit right where the 11:09 event is supposed to be.
This isn't a case of the job running too long. As you can see in the job list, it completes in less than a second.
The query that is running is very simple:
host=iad1bf5* program=ltm request request="GET /" | stats dc(client_ip)
I have a copy of the job inspection output, as well as the search.log, and can provide any info needed from there.
This is with Splunk 6.3.2
↧