Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summary index syslog events doing line merge

vcarbona
Path Finder
‎05-26-2011 01:24 PM

A colleague of mine is summary indexing syslog events from a bigger syslog index. He's doing this to have a more focused and quicker search of the data. However, the syslog events in the summary index are merging from time to time which makes reporting by field impossible. I know with regular indexes there is a SHOULD_LINEMERGE configuration setting, but is there a way to configure the summary index that way? I'm afraid to break something if I add a "SHOULD_LINEMERGE = False" to the "stash" sourcetype.

Additional question: Is it appropriate to put entire events into a summary index? I always thought that summary indexing was used to store aggregated data and not actual entire events.

0 Karma
Reply

hazekamp
Builder
‎05-26-2011 04:36 PM

vcarbona,

You are correct in that summary indexes typically contain aggregated data and not actual events.

If you desire a smaller subset of actual events consider creating an index to route specific events based on some criteria.

I would not recommend changing any of the default behavior for the stash sourcetype as this is likely to have adverse affects.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...