Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to ensure data ingested into summary index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a scheduled report which runs every midnight over last 30 days data and indexing into summary index.
But, in summary indexing that result from schedule report is storing with timestamp of 30 days back.
Eg: if i run the schedule report on 02/01 over last 30 days data,the result of this storing in summary index with 01/01 timestamp.
so while calling this summary indexing in my dashboards, i'm using: index=summary et=-30d@d
is there any way to store the summary indexing data with today time stamp?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.
index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.
index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share the savedsearch settings and the actual search that are populating your summary index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where can i find the saved search settings?.
search query:
index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg
I'm saving it as report .
These are the steps i'm following for summary indexing.
settings-->searches,Reports-->open this report-->schedule this report everyday midnight--->enable summary indexing-->select summary index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, we need to see the search that you are using to report out from your summary index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=test|eval date=strftime(_time,"%Y-%m-%d")|table Date,x|chart dc(x) by Date|appendcols[|search index=summary earliest=-30d@d|head 1|table Avg]|filldown Avg
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
