What is a summary index and how can one check whet...

pavanae · ‎03-20-2017

My main question is I am trying to check whether the current summary indexes in our environment were getting the data from a particular sourcetype. How can I do that and actually where can i check all the summary indexes?

muebel · ‎03-20-2017

Hi pavanae, the docs here have more information on summary indexing in general : http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usesummaryindexing

Concerning the sourcetype, all data that is summary indexed gets the stash sourcetype. The original sourcetype is preserved in the orig_sourcetype fields, and so you could figure out what sourcetypes are being put into summary indexes by running:

sourcetype=stash | stats count by orig_sourcetype

Please let me know if this answers your question!

rkondeti3 · ‎10-31-2017

But the stats count will only work if there is data in the index. How can you tell whether an empty index is a summary index or not?

ddrillic · ‎10-31-2017

You can check whether it's a "real" index in indexes.conf...

woodcock · ‎03-24-2017

Yes, exactly:

index=* sourcetype=stash | stats count BY orig_sourcetype

What is a summary index and how can one check whether the summary index gets the data of a particular sourcetype?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...