https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81349#M812 <P>Simply, you need to check the "enable summary indexing" checkbox. <CODE>sistats</CODE> will generate the data, but will not write it to the summary index.</P> Wed, 29 Feb 2012 05:42:23 GMT gkanapathy 2012-02-29T05:42:23Z https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81348#M811 <P>So after having used Splunk for over a year now, I'm finally getting around to doing my first summary index-based search and it's not working. Clearly I'm missing something that's probably obvious, but I can't figure out what it is.</P> <P>I had started with the following search</P> <PRE><CODE>tag=p*aps* source=*/access.log | stats count AS HTTP_Operations sum(bytes_received) AS bytes_received_total sum(bytes_sent) AS bytes_sent_total BY host| eval MBytes_Total = round((( bytes_sent_total + bytes_received_total ) / 1048576), 2) | eval MBytes_Sent = round((bytes_sent_total / 1048576),2) | eval MBytes_Received = round((bytes_received_total / 1048576),2) | fields host, HTTP_Operations, MBytes_Sent, MBytes_Received, MBytes_Total </CODE></PRE> <P>which works great run by itself. I read the docs and understand that I have to drop the eval's. So I whittled this down to</P> <PRE><CODE>tag=p*aps* source=*/access.log | sistats count AS HTTP_Operations sum(bytes_received) AS bytes_received_total sum(bytes_sent) AS bytes_sent_total BY host </CODE></PRE> <P>I made this a scheduled search to collect this information for yesterday (start -1d@d, end @d) and scheduled to run every day at 10 minutes after midnight. I do not have the enable summary indexing box checked in the scheduled search because I thought I'd understood that the "sistats" command itself would generate the summary data.</P> <P>So this search runs according to job monitor, but nothing ever shows up in the summary index. In fact, according to the index page under Manager, my summary index hasn't had a new event added in 6 days.</P> <P>What am I doing wrong?</P> <P>Thanks</P> Wed, 29 Feb 2012 02:41:01 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81348#M811 mfrost8 2012-02-29T02:41:01Z https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81349#M812 <P>Simply, you need to check the "enable summary indexing" checkbox. <CODE>sistats</CODE> will generate the data, but will not write it to the summary index.</P> Wed, 29 Feb 2012 05:42:23 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81349#M812 gkanapathy 2012-02-29T05:42:23Z https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81350#M813 <P>That was it. What I'd understood from the docs was that using "sistats" alone was signalling Splunk that this was a summary index related search. I thought that ticking the enable summary indexing checkbox would handle the details if say you used "stats" instead of "sistats".</P> <P>Thanks very much, Gerald.</P> Wed, 29 Feb 2012 18:59:01 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-index-search-not-working/m-p/81350#M813 mfrost8 2012-02-29T18:59:01Z