https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111703#M1134 <P>I think this is what you are looking for:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect">http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect</A></P> <P>You add "| collect index="mysummaryindex" to the end of your search.</P> <P>Time zone is the server's time zone by default. This is often GMT but you can do index=* | head 1 | table _time and compare it to your current (local) time to find out.</P> Mon, 30 Mar 2015 20:38:14 GMT masonmorales 2015-03-30T20:38:14Z https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111701#M1132 <P>I am trying to make a summary index for data in April 2014.</P> <P>Using the current default search and joins, and to query more than 25 GB of data takes more than 35 seconds of time.</P> <P>I want to use a summary index to reduce the amount of time used in the search.</P> <PRE><CODE>index=mail-bak sourcetype=MiMailData earliest="04/01/2014:00:00:00" latest="04/30/2014:24:00:00" MailType=0 OR MailType=1 OR MailType=2 | where isnull(MailCc) | join MailUID [search index=vpn sourcetype=accesslog earliest="05/01/2014:00:00:00" latest="05/01/2014:24:00:00" | stats count as VpnAccessCount by USER_ID | eval MailUID = USER_ID ] | eval testYn = if( match( MailTo , MailFrom ), "Y", "N") | eval testYn2 = if( match( MailTo , ","), "Y", "N") | search testYn = "Y" AND testYn2 = "N" | stats count as SendWeekCount by MailUID VpnAccessCount | rename MailUID as MailTo | table MailTo SendWeekCount VpnAccessCount </CODE></PRE> <P>Where's the part that is included in the search command?</P> <P>What time zone settings?</P> <P>In addition to setting the part?</P> <P>Answer please. Thank you.</P> Mon, 30 Mar 2015 07:38:16 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111701#M1132 jihoon 2015-03-30T07:38:16Z https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111702#M1133 <P>Have you evaluated report acceleration vs. summary indexing? See <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Aboutsummaryindexing">Overview of summary-based search and pivot acceleration</A> in the <EM>Knowledge Manager Manual</EM> for more information.</P> <P>For instructions about the reporting commands that populate a summary index, such as <CODE>sistats</CODE>, as well as other background information you can use to determine whether a summary index is what you need, see <A href="http://Use+summary+indexing+for+increased+reporting+efficiency">Use summary indexing for increased reporting efficiency</A>, also in the <EM>Knowledge Manager Manual</EM>.</P> Mon, 30 Mar 2015 20:16:29 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111702#M1133 ChrisG 2015-03-30T20:16:29Z https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111703#M1134 <P>I think this is what you are looking for:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect">http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect</A></P> <P>You add "| collect index="mysummaryindex" to the end of your search.</P> <P>Time zone is the server's time zone by default. This is often GMT but you can do index=* | head 1 | table _time and compare it to your current (local) time to find out.</P> Mon, 30 Mar 2015 20:38:14 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-edit-my-search-to-create-a-summary-index/m-p/111703#M1134 masonmorales 2015-03-30T20:38:14Z