Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to ensure data ingested into summary indexing through schedule reports is stored with the timestamp of the date the report is run?

uhkc777
Explorer
‎02-02-2017 07:20 AM

Hi,

I have a scheduled report which runs every midnight over last 30 days data and indexing into summary index.
But, in summary indexing that result from schedule report is storing with timestamp of 30 days back.
Eg: if i run the schedule report on 02/01 over last 30 days data,the result of this storing in summary index with 01/01 timestamp.

so while calling this summary indexing in my dashboards, i'm using: index=summary et=-30d@d

is there any way to store the summary indexing data with today time stamp?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2017 01:53 PM

If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.

index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2017 01:53 PM

If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.

index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")
Reply
Solved! Jump to solution

rjthibod
Champion
‎02-02-2017 09:07 AM

Please share the savedsearch settings and the actual search that are populating your summary index.

0 Karma
Reply
Solved! Jump to solution

uhkc777
Explorer
‎02-02-2017 09:15 AM

where can i find the saved search settings?.

search query:
index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg
I'm saving it as report .
These are the steps i'm following for summary indexing.

settings-->searches,Reports-->open this report-->schedule this report everyday midnight--->enable summary indexing-->select summary index

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-02-2017 09:11 AM

Also, we need to see the search that you are using to report out from your summary index.

0 Karma
Reply
Solved! Jump to solution

uhkc777
Explorer
‎02-02-2017 09:23 AM

index=test|eval date=strftime(_time,"%Y-%m-%d")|table Date,x|chart dc(x) by Date|appendcols[|search index=summary earliest=-30d@d|head 1|table Avg]|filldown Avg

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...