topic Re: summary indexing data in Knowledge Management

summary indexing data

splunkingsplunk — Mon, 28 Sep 2020 09:58:54 GMT

hi i am using the below query to summary index

index=level3 earliest=+285min latest=+300min | eval volumegb=volumebytes/(1024*1024*1024) | sitimechart sum(volumegb),distinct_count(ipaddr) span=1min

for every 15 mins, new log file will be added to level3 indexing and that file consists of data varying from next 50 mins to next 6 hrs.

so the above summary indexing dont work as new data will be added to level3 index for various time intervals. but the data is added to level3 index from a single file for every 15 mins

is there any way i can summary index new data from index level3

Thanks

Re: summary indexing data

yannK — Thu, 13 Oct 2011 15:36:20 GMT

First : you shouldn't summarize your data until all your events are indexed.

Or you want to consolidate your summaries, you will have to :

delete the existing stats for a given period and recreate them using a backfill. something like : index=summary search_name=mysummarysearch earliest=-xdays latest=-ydays | delete
then repopulate the summary search for the given period using the "backfill script" http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Managesummaryindexgapsandoverlaps

Re: summary indexing data

splunkingsplunk — Fri, 14 Oct 2011 17:35:56 GMT

Thanks for the reply YannK. but depending on my summary index data. our developer is trying to show graph values like amount of gb served for past 2hrs, 24 hrs 7 days. so i f ihave to delete 7 hrs of data and sumamry index it again his graph will be missing data for that time. is there any way i can summary-index only new events indexed by level3(index) in particular time period(time period it indexed the data) not the event time period. sorry if it is a dumb question..