topic Re: Modify source name while summary indexing data in Reporting

Modify source name while summary indexing data

angelinealex — Wed, 13 Jun 2018 18:49:48 GMT

I have a saved search called searchA. I am scheduling this saved search and summary indexing the data. After the scheduler runs i am seeing the source value as searchA (source=searchA). But I would like to have the source value as searchX (source=searchX).

How to achieve it when the scheduler runs or do I have option to change the source name in searchA code itself, so that it can be picked up when the saved search runs?

Can someone help me?

Re: Modify source name while summary indexing data

adonio — Wed, 13 Jun 2018 20:33:10 GMT

hello there,

you can leverage collect command to put results in summary indexes and overwrite the source
.... your search | collect index =<index_name> source=<source_name>
read here more:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Collect

hope it helps

Re: Modify source name while summary indexing data

angelinealex — Wed, 13 Jun 2018 21:10:59 GMT

thanks for the response. It works. But it adds the data into summary index when I just run the saved search. I mean run the below query in the search box.

.... my search | collect index =<index_name> source=<source_name>

Can we control that to modify the source only when the saved search executes during the schedule time? Or is there any other way to change the source name only when the savedsearch executes during scheduled time?

Re: Modify source name while summary indexing data

adonio — Thu, 14 Jun 2018 00:41:29 GMT

not sure exactly what you mean.
a search, scheduled or not, populates the summery index.
convert your saved search to the format above and save it to meet your requirements.
hope i understood your comment

Re: Modify source name while summary indexing data

angelinealex — Fri, 15 Jun 2018 18:17:47 GMT

well.. When we use collect, if someone, by mistake runs the saved search (through open in search option) the data will be summary indexed. I would like to avoid this.

So I want to summary index the data only by scheduling the saved search and change the source_name.

Please let me know if I am not clear.

Re: Modify source name while summary indexing data

adonio — Fri, 15 Jun 2018 20:19:19 GMT

how does that different form sistats or whatever you are doing today?
i feel like i already answered how to rename the source field when summarizing data via search. if not, please elaborate, as i probably did not understand your question

Re: Modify source name while summary indexing data

richgalloway — Thu, 06 Dec 2018 14:12:59 GMT

There is no way to change the behavior of a search based on whether it was scheduled or not. The collect command will always write to the summary index (unless the testmode option is enabled) every time the search executes.