Summary index syslog events doing line merge

vcarbona — Thu, 26 May 2011 20:24:26 GMT

A colleague of mine is summary indexing syslog events from a bigger syslog index. He's doing this to have a more focused and quicker search of the data. However, the syslog events in the summary index are merging from time to time which makes reporting by field impossible. I know with regular indexes there is a SHOULD_LINEMERGE configuration setting, but is there a way to configure the summary index that way? I'm afraid to break something if I add a "SHOULD_LINEMERGE = False" to the "stash" sourcetype.

Additional question: Is it appropriate to put entire events into a summary index? I always thought that summary indexing was used to store aggregated data and not actual entire events.

Re: Summary index syslog events doing line merge

hazekamp — Thu, 26 May 2011 23:36:46 GMT

vcarbona,

You are correct in that summary indexes typically contain aggregated data and not actual events.

If you desire a smaller subset of actual events consider creating an index to route specific events based on some criteria.

I would not recommend changing any of the default behavior for the stash sourcetype as this is likely to have adverse affects.

topic Re: Summary index syslog events doing line merge in Getting Data In

Summary index syslog events doing line merge

Re: Summary index syslog events doing line merge