All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New to Summary Indexing

rmorlen
Splunk Employee
Splunk Employee
‎07-30-2012 06:32 AM

I have a search:

index=_internal host=licenseManager type=Usage earliest=-5d st!=splunk_metrics | rename st AS sourcetype | timechart span=1d sum(eval(b/1024/1024/1024)) AS GB by sourcetype | addtotals

This gives me a nice table over the past 5 days on license usage per sourcetype. I also get the total usage so I have some idea on our total license usage.

This search takes a while to run. I would like to have a summary index that runs once a day so that I can generate a report once a day that looks back lets say the past 30 days.

For the scheduled search I have:

index=_internal host=licenseManager type=Usage earliest=-2d@d latest=-1d@d st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB

Scheduled to run at 1am.

alert condition = always

add fields:

index = summary

report = License_Usage_Report

  1. Is this the correct way to set it up?
  2. How do I generate the report using the summary index?

(we are running Splunk 4.2.5 in case this matters)

Thanks for any help.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎08-02-2012 01:20 PM

I did figure out my summary indexing for the license info.

Scheduled search which runs at 1am and puts the data in a summary index named summary_admin:

index=_internal host=licenseManagerHostName earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype

The query I use to display the information:

index=summary_admin earliest=-30d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals

Since I specify earliest and latest in the scheduled search backfilling didn't quite work like I would have liked so I manually ran the searches using the command:

index=_internal host=licenseManagerHostName earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype | collect index=summary_admin

I changed earliest and latest to go back as far as I wanted so:

earliest=-2d@d latest=-1d@d

earliest=-3d@d latest=-2d@d

and so forth...

Hope it helps someone.

0 Karma
Reply

josh_1
New Member
‎07-30-2012 06:56 AM

Hello, I would suggest contacting Splunk support to answer this question. They would be able to answer it far better than I could.

~josh

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...