I started playing for Splunk Metrics rollups and but then tried to step out of the box and got a “Failed to apply rollup policy to index=’…’. Summary span=’7d’ cannot be cron scheduled” error.
While you can configure the rollup policies in the Splunk UI, you can also do it using Splunk’s REST API or using spunk configuration files (metric_rollups.conf).
Here is the interesting part: your rollup span value is limited only to the values available in the UI drop-down (no matter which method of configuration you are using).
The options that you can use are:
| Minute Span | Hourly Span | Daily Span | Notes |
|---|---|---|---|
| 1m* | requires limits.conf update | ||
| 2m* | requires limits.conf update | ||
| 3m* | requires limits.conf update | ||
| 5m | |||
| 6m | |||
| 10m | |||
| 12m | |||
| 20m | |||
| 30m | |||
| 60m | 1h | ||
| 1h | |||
| 3h | |||
| 4h | |||
| 6h | |||
| 8h | |||
| 12h | |||
| 24h | 1d |
If you will try to use any other value you will see the following error in the splunkd.log: 12-12-2022 14:04:08.645 +1100 ERROR MetricsRollupPolicy [12181677 TcpChannelThread] - Failed to apply rollup policy to index='...'. Summary span='7d' cannot be cron scheduled.
This is not (as of 15/12/2022) a documented “feature”.