What is a summary index and how can one check whet...

pavanae · ‎03-20-2017

My main question is I am trying to check whether the current summary indexes in our environment were getting the data from a particular sourcetype. How can I do that and actually where can i check all the summary indexes?

muebel · ‎03-20-2017

Hi pavanae, the docs here have more information on summary indexing in general : http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usesummaryindexing

Concerning the sourcetype, all data that is summary indexed gets the stash sourcetype. The original sourcetype is preserved in the orig_sourcetype fields, and so you could figure out what sourcetypes are being put into summary indexes by running:

sourcetype=stash | stats count by orig_sourcetype

Please let me know if this answers your question!

rkondeti3 · ‎10-31-2017

But the stats count will only work if there is data in the index. How can you tell whether an empty index is a summary index or not?

ddrillic · ‎10-31-2017

You can check whether it's a "real" index in indexes.conf...

woodcock · ‎03-24-2017

Yes, exactly:

index=* sourcetype=stash | stats count BY orig_sourcetype

What is a summary index and how can one check whether the summary index gets the data of a particular sourcetype?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

What is a summary index and how can one check whether the summary index gets the data of a particular sourcetype?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25