Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to ensure data ingested into summary indexing through schedule reports is stored with the timestamp of the date the report is run?

uhkc777
Explorer
‎02-02-2017 07:20 AM

Hi,

I have a scheduled report which runs every midnight over last 30 days data and indexing into summary index.
But, in summary indexing that result from schedule report is storing with timestamp of 30 days back.
Eg: if i run the schedule report on 02/01 over last 30 days data,the result of this storing in summary index with 01/01 timestamp.

so while calling this summary indexing in my dashboards, i'm using: index=summary et=-30d@d

is there any way to store the summary indexing data with today time stamp?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2017 01:53 PM

If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.

index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2017 01:53 PM

If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.

index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")
Reply
Solved! Jump to solution

rjthibod
Champion
‎02-02-2017 09:07 AM

Please share the savedsearch settings and the actual search that are populating your summary index.

0 Karma
Reply
Solved! Jump to solution

uhkc777
Explorer
‎02-02-2017 09:15 AM

where can i find the saved search settings?.

search query:
index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg
I'm saving it as report .
These are the steps i'm following for summary indexing.

settings-->searches,Reports-->open this report-->schedule this report everyday midnight--->enable summary indexing-->select summary index

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-02-2017 09:11 AM

Also, we need to see the search that you are using to report out from your summary index.

0 Karma
Reply
Solved! Jump to solution

uhkc777
Explorer
‎02-02-2017 09:23 AM

index=test|eval date=strftime(_time,"%Y-%m-%d")|table Date,x|chart dc(x) by Date|appendcols[|search index=summary earliest=-30d@d|head 1|table Avg]|filldown Avg

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...