topic How to create summary index? in Splunk Search

How to create summary index?

Vani_26 — Tue, 28 Feb 2023 18:47:59 GMT

I have a dashboard which contains 5 panels in table format.

Query for panel1:
index=xxxx sourcetype=xxxxx stroage_name=CompleteTransactions
|table Description application _time count
streamstats current=f window=1 values( Description) as desp values(application) as app values(_time) as totaltime values (count) as totalcount
|eval siml=if(application == app AND Description == desp, count - totalcount,0)
|where siml > 0
|stats sum(siml) as totalrequest by application

output:

Description	application	_time	count
ampt.gc.com	ampt-portal	2023-01-16 14:00:56.456	100
ampt.gc.com	ampt-login	2023-01-16 12:00:56.400	20
ampt.gc.com	ampt-clientid	2023-01-16 11:00:36.406	50

Similar to panel 1 query we have other 4 panels with different field names.

The task is i need to get the output of 5 panels into a summary index.
Retention period to 60 days
query need to run for every 24 hours

So need to create a report for everyday for last 24 hours and need to create report to collect everydata into summary index.
so that if they search for last 60 days data should display.

how can i do this

Re: Need to create summary index

bowesmana — Tue, 28 Feb 2023 03:29:45 GMT

Create your individual searches, or of you can create a single search that will generate all parts of the data and then save it as a report and then schedule it to run daily for 'yesterday'. The enable summary indexing.

Alternatively you can use the collect statement directly in your search.

In your dashboard, you can either use loadjob or savedsearch command to load the most recent saved search report to diplay or you can make searches from the summary index.

Re: Need to create summary index

Vani_26 — Mon, 06 Mar 2023 22:55:01 GMT

Hi @bowesmana, i have created the query, and i have created a new summary index in indexs.conf

Now what i should create a report and now how i can send the send data to summary index,
Do i need to add like collect at the end of my query??
Do i need to create a 2 reports one for daily and that daily data need to be added in summary index??

I am completely new to this part, not sure how to make the connection between my query and summaryindex.

Re: Need to create summary index

bowesmana — Mon, 06 Mar 2023 23:14:57 GMT

In the report, you have an option to edit summary indexing

You can do it this way, which is the simplest, or you can look at the collect command and do it yourself.

So, your report should produce all the data you want to store.

What is the purpose of the summary index? Is it so that the dashboard can search that summary index instead of the raw data?

If so, you can make a single search that reports on all the data you want to record and then in your dashboard you can just pick the piece of data you need for each panel.

Re: Need to create summary index

gerrysr6 — Thu, 11 Jan 2024 20:56:43 GMT

more screen shot sure would help - where is that? I can see stuff like Edit Description/Permissions/etc. but not Edit Summary Indexing

Re: Need to create summary index

bowesmana — Fri, 12 Jan 2024 02:28:18 GMT

Maybe you don't have permission to do summary indexing, but that option is in the searches, reports and alerts