- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- is it necessary to create an separate index for su...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is it necessary to create an separate index for summary or can we just use the regular index and mark it to enable capturing summary data as well
Hi ,
I am presently using an index say "1234-index" where i have different source types to cater my needs. However, I have one particular source type for which i need to collect the summary data.
so is it necessary to create an entirely new index for summary or can i just use the "1234-index" index and mark it to enable capturing summary data as well in a separate source type?
Thanks
Mohammed Shahid Nawaz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@shahid285 ,
Summary index is nothing but just another index. It's more about for what purpose you are using the summary index.
Usually it's used to efficiently report on large volumes of data , i.e. if you want to run a report for last 30 days from an index with millions of events, you may schedule a search to run every day to extract precise information you want on the final report and populate the summary index. So the final report can run on this summary index more efficiently.
There are the normal use case for using a summary index : Summary indexing use cases
Usually, summary index is a separate index so that you can reduce the data volume you search and avoid duplicate information in the same index. Moreover, summary indexing volume is not counted against your license, even if you have several summary indexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @renjith.nair ,
Thank you for the response, my situation and concern is to write an event to an index through SPL. For which i had requested suggestion here.
https://answers.splunk.com/answers/736766/is-there-a-possibility-to-write-an-event-to-splunk.html
The suggestion to my posted issue here, was to use collect command. but in order to use collect command, i further found that it needs summary index to be configured. Hence, i configured one. but even post that i am not able to get things working in my favour.
the following is the savedsearches.conf changes made to enable summary indexing, and below is the query i am using to write an event to an index.
savedsearches.conf
[xxxx_capacity_threshold]
action.summary_index = true
action.summary_index._name = xxxxx
action.email.useNSSubject = 1
alert.track = 0
search = index="$param$-xxx" sourcetype="xxx" | table maxPercentage percentage
Query (with collect command)
| makeresults | eval raw = "{\"maxPercentage\":\"70\", \"percentage\":\"90\"}" | table _raw | collect index="xxxxxx-xx" file="new_settings$timestamp$.stash" sourcetype="xxxxxx" addtime=true testmode=false
Thanks
Mohammed Shahid Nawaz
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
