https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673045#M112738 <P>As far as I know, any index that receives results of a scheduled report is considered a summary index (i.e. using the collect command in a search or configuration of the "action.summary_index" parameter in savedsearches.conf.<BR /><BR />To look for savedsearches using either one of these methods you can search the rest endpoint like this.<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/saved/searches | fields + title, qualifiedSearch, "action.summary_index", "action.summary_index.*" | where match(qualifiedSearch, "(?i)\|(?:\s|\n)*collect") OR ('action.summary_index'=="1" OR match('action.summary_index', "(?i)true")) | rename title as savedsearch_name | rex field=qualifiedSearch max_match=0 "(?&lt;collect_spl&gt;\|\s*collect\s+[^\n]+)" | fields + savedsearch_name, collect_spl, "action.summary_index", "action.summary_index.*"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>From here you could set up regex to extract index/sourcetype from the "collect_spl" field or use the "action.summary_index.*" values to gather that info.<BR /><BR />Its possible for the "collect_spl" field to contain only index and even then, that index specification could be stored in a macro, so those situations may be a bit more tricky.<BR /><BR />It is also possible for a parameter called "output_format=hec" to be used along with the collect command and if this is the case then, sourcetype and source will not be specified with the collect command and are rather defined in the SPL itself.<BR /><BR />You can see examples of these scenarios here</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1704220616354.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28715iADB433A73569F802/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1704220616354.png" alt="dtburrows3_0-1704220616354.png" /></span></P><P>To use this method to the end result of a report listing index/sourcetypes that are being utilized as a summary index you can use SPL like this. (Note: there is a custom splunk command being used in this code that expands macros all the way down before we attempt to do any extractions of collect metadata. You can DM me if you would want me to share the script to do this)</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/saved/searches | fields + title, qualifiedSearch, "action.summary_index", "action.summary_index.*" | where match(qualifiedSearch, "(?i)\|(?:\s|\n)*collect") OR ('action.summary_index'=="1" OR match('action.summary_index', "(?i)true")) | rename title as savedsearch_name ``` this is a splunk custom command I created, reach out to me through DM and I can share the code ``` | expandmacros input_field=qualifiedSearch output_field=expanded_spl | rex field=expanded_spl max_match=0 "(?&lt;collect_spl&gt;\|\s*collect\s+[^\n]+)" | where isnotnull(collect_spl) OR ('action.summary_index'=="1" OR match('action.summary_index', "(?i)true")) | fields + savedsearch_name, collect_spl, expanded_spl, "action.summary_index", "action.summary_index.*" | rex field=expanded_spl max_match=0 "(?i)\|\s*(?&lt;eval_spl&gt;eval\s+[^\|]+)" | eval eval_spl=mvfilter(match(eval_spl, "\s+source(?:type)?\"?\s*\=\s*\"")) | rex field=eval_spl max_match=0 "\s+sourcetype\"?\s*\=\s*\"(?&lt;inline_set_sourcetype&gt;[^\"]+)" | rex field=eval_spl max_match=0 "\s+source\"?\s*\=\s*\"(?&lt;inline_set_source&gt;[^\"]+)" | rex field=collect_spl max_match=0 "index\s*\=\s*\"?(?&lt;summary_index&gt;[a-zA-Z0-9\-\_]+)" | rex field=collect_spl max_match=0 "sourcetype\s*\=\s*\"?(?&lt;summary_sourcetype&gt;[a-zA-Z0-9\-\_]+)" | rex field=collect_spl max_match=0 "source\s*\=\s*\"?(?&lt;summary_source&gt;[a-zA-Z0-9\-\_]+)" | fields + savedsearch_name, collect_spl, summary_index, summary_sourcetype, summary_source, inline_set_sourcetype, inline_set_source, "action.summary_index", "action.summary_index.*" | eval summary_index=mvdedup( mvappend( 'summary_index', 'action.summary_index._name' ) ), summary_sourcetype=mvdedup( mvappend( summary_sourcetype, inline_set_sourcetype ) ), summary_source=mvdedup( mvappend( summary_source, inline_set_source ) ) | fillnull value="stash" summary_sourcetype | fields - inline_* | stats dc(savedsearch_name) as dc_savedsearches by summary_index, summary_sourcetype | sort 0 -dc_savedsearches</LI-CODE><P>&nbsp;Final output would look something like this. (screenshot has been redacted)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1704223671656.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28716iA71B81B19792BB0B/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1704223671656.png" alt="dtburrows3_0-1704223671656.png" /></span></P><P>&nbsp;</P> Tue, 02 Jan 2024 19:28:06 GMT dtburrows3 2024-01-02T19:28:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673041#M112736 <P>I want to get the list of summary index configured in splunk. Please help me with queries to get the summary index and sourcetype</P> Tue, 02 Jan 2024 18:01:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673041#M112736 harishsplunk7 2024-01-02T18:01:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673045#M112738 <P>As far as I know, any index that receives results of a scheduled report is considered a summary index (i.e. using the collect command in a search or configuration of the "action.summary_index" parameter in savedsearches.conf.<BR /><BR />To look for savedsearches using either one of these methods you can search the rest endpoint like this.<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/saved/searches | fields + title, qualifiedSearch, "action.summary_index", "action.summary_index.*" | where match(qualifiedSearch, "(?i)\|(?:\s|\n)*collect") OR ('action.summary_index'=="1" OR match('action.summary_index', "(?i)true")) | rename title as savedsearch_name | rex field=qualifiedSearch max_match=0 "(?&lt;collect_spl&gt;\|\s*collect\s+[^\n]+)" | fields + savedsearch_name, collect_spl, "action.summary_index", "action.summary_index.*"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>From here you could set up regex to extract index/sourcetype from the "collect_spl" field or use the "action.summary_index.*" values to gather that info.<BR /><BR />Its possible for the "collect_spl" field to contain only index and even then, that index specification could be stored in a macro, so those situations may be a bit more tricky.<BR /><BR />It is also possible for a parameter called "output_format=hec" to be used along with the collect command and if this is the case then, sourcetype and source will not be specified with the collect command and are rather defined in the SPL itself.<BR /><BR />You can see examples of these scenarios here</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1704220616354.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28715iADB433A73569F802/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1704220616354.png" alt="dtburrows3_0-1704220616354.png" /></span></P><P>To use this method to the end result of a report listing index/sourcetypes that are being utilized as a summary index you can use SPL like this. (Note: there is a custom splunk command being used in this code that expands macros all the way down before we attempt to do any extractions of collect metadata. You can DM me if you would want me to share the script to do this)</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/saved/searches | fields + title, qualifiedSearch, "action.summary_index", "action.summary_index.*" | where match(qualifiedSearch, "(?i)\|(?:\s|\n)*collect") OR ('action.summary_index'=="1" OR match('action.summary_index', "(?i)true")) | rename title as savedsearch_name ``` this is a splunk custom command I created, reach out to me through DM and I can share the code ``` | expandmacros input_field=qualifiedSearch output_field=expanded_spl | rex field=expanded_spl max_match=0 "(?&lt;collect_spl&gt;\|\s*collect\s+[^\n]+)" | where isnotnull(collect_spl) OR ('action.summary_index'=="1" OR match('action.summary_index', "(?i)true")) | fields + savedsearch_name, collect_spl, expanded_spl, "action.summary_index", "action.summary_index.*" | rex field=expanded_spl max_match=0 "(?i)\|\s*(?&lt;eval_spl&gt;eval\s+[^\|]+)" | eval eval_spl=mvfilter(match(eval_spl, "\s+source(?:type)?\"?\s*\=\s*\"")) | rex field=eval_spl max_match=0 "\s+sourcetype\"?\s*\=\s*\"(?&lt;inline_set_sourcetype&gt;[^\"]+)" | rex field=eval_spl max_match=0 "\s+source\"?\s*\=\s*\"(?&lt;inline_set_source&gt;[^\"]+)" | rex field=collect_spl max_match=0 "index\s*\=\s*\"?(?&lt;summary_index&gt;[a-zA-Z0-9\-\_]+)" | rex field=collect_spl max_match=0 "sourcetype\s*\=\s*\"?(?&lt;summary_sourcetype&gt;[a-zA-Z0-9\-\_]+)" | rex field=collect_spl max_match=0 "source\s*\=\s*\"?(?&lt;summary_source&gt;[a-zA-Z0-9\-\_]+)" | fields + savedsearch_name, collect_spl, summary_index, summary_sourcetype, summary_source, inline_set_sourcetype, inline_set_source, "action.summary_index", "action.summary_index.*" | eval summary_index=mvdedup( mvappend( 'summary_index', 'action.summary_index._name' ) ), summary_sourcetype=mvdedup( mvappend( summary_sourcetype, inline_set_sourcetype ) ), summary_source=mvdedup( mvappend( summary_source, inline_set_source ) ) | fillnull value="stash" summary_sourcetype | fields - inline_* | stats dc(savedsearch_name) as dc_savedsearches by summary_index, summary_sourcetype | sort 0 -dc_savedsearches</LI-CODE><P>&nbsp;Final output would look something like this. (screenshot has been redacted)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1704223671656.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28716iA71B81B19792BB0B/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1704223671656.png" alt="dtburrows3_0-1704223671656.png" /></span></P><P>&nbsp;</P> Tue, 02 Jan 2024 19:28:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673045#M112738 dtburrows3 2024-01-02T19:28:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673073#M112747 <P>Any non-internal indexes&nbsp;<EM>could</EM> be a summary index to be honest. But like&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263242">@dtburrows3</a>&nbsp;said, you'll have to take a look at savedsearches.conf to see what search is using the collect command that writes to an index. This isn't guaranteed to identify summary indexes but will help you narrow down what indexes to look into. In our environment, our summary indexes are identified with the "summary_" prefix as best practice.</P> Tue, 02 Jan 2024 21:19:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-list-of-summary-index-and-sourcetype-in-Splunk/m-p/673073#M112747 m_pham 2024-01-02T21:19:40Z