Hi All,
I am trying to create summary index for Cisco ESA Textmail logs. I will then rebuild the Email data model using the summary index.
The scheduled search is running correctly but when I try to search the summary index I get no events returned.
How does one check that events are going into the summary index correctly?
Steps Taken
- Created a new index called email_summary
- I have created a scheduled search to run every 15 minutes
- In the settings I have ticked 'Enable summary indexing'
Saved Search
index=email sourcetype=cisco:esa:textmail
| stats values(action) as action, values(dest) as dest, values(duration) as duration, values(file_name) as file_name, values(message_id) as message_id, values(recipient) as recipient, dc(recipient) as recipient_count, values(recipient_domain) as recipient_domain, values(src) as src, values(src_user) as src_user, values(src_user_domain) as src_user_domain, values(message_subject) as subject, values(tag) as tag, values(url) as url, values(user) AS user values(vendor_product) as vendor_product, values(vendor_action) as filter_action, values(reputation_score) as filter_score BY internal_message_id
Thanks,
Dave
