How and when to backfill summary data
If you are building reports against summary data, you of course need enough time represented in your summary index. If your report represents only a day or two, then you can probably just wait for the summary to have enough information. If you need the report to work sooner rather than later, or the time frame is longer, then you can backfill your summary index.
Using fill_summary_index.py to backfill
The fill_summary_index.py
script allows you to backfill the summary index for any time period you like. It does this by running the saved searches you have defined to populate your summary indexes, but for the time periods you specify.
To use the script, follow the given procedure:
Create your scheduled search, as detailed previously in the Populating summary indexes with saved searches section.
Log in to the shell on your Splunk instance. If you are running a distributed environment, log in to the search head.
Change directories to the Splunk
bin
directory....