Hi Splunk team,
I have a scenerio where i have a raw index and a summary index , a scheduled search which is used to populate data from raw index to summary index. my scheduled searchs runs on daily basis and fills the summary index , every thing is working fine as expected.
Now here the problem is for Eg . if my raw data is updated with the newer portion of data on already passed days , i need to fill this as well in summary index , which i tried backfill script for it but it give me proper results.
Example :
index="main" -- raw index
index="summary" - summary index
Assuming index main has only Dec 12th data i.e with _time Dec 12th and summary generating search ran on dec 12 th and populated all the 12th data in summary index.
Now lets say Dec 15th , i had few more data of Dec 12th which has come now from the forwarder , it has been gone to the "main" index for Dec 12th , now my issue to fill in this newer portion of data in summary index.
I have tried backfill and re-run the searches , but every time its creating duplicates . used nolocal option as well but no luck.
any way to fill only newer portion of data everytime to summary index.
manythanks,
Rakesh.
↧