Hi Fellow Splunkers,
After having upgraded to 6.4.1 yesterday, I had a go with fill_summary_index.py again, and noticed that am still getting the same error "No scheduled times for your time range", which I had been getting since a year or longer.
Being in dire need of it this time, I tried to backfill different searches, e.g. using sistats, using collect, basic and cron scheduling. To my surprise even the most basic search (basic scheduling 1 hour, using sistats and flagging "enable summary indexing" in the webgui search edit form), was getting the same error "No scheduled times...".
Taking a deeper look at it with @Daubsi, we found that:
- manually searching the designated REST endpoint (saved/searches/{name}/scheduled_times) returned the needed list "scheduled_times"
1465292100 1465293000
...
- Looking at the function output of getSavedSearchWithTimes in fill_summary_index.py, this returned the definition of the search in question, but without scheduled_times. It looks pretty much as if only search definition without scheduled_times was queried
- Taking a look a saved.py and entity.py, we could not make out where the needed REST URI .../scheduled_times would be prepended
- Changing a few lines to make fill_summary_index.py use the REST endpoint (saved/searches/{name}/scheduled_times) made the script run again as it used to. It found the scheduled_times just happily.
How is your mileage with fill_summary_index.py? Does it work as intended in 6.3+? As it is probably in heavy use out there, I would be a little surprised if it's really going to the wrong endpoint.
Olli
↧