- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is a summary index and how can one check whether the summary index gets the data of a particular sourcetype?
My main question is I am trying to check whether the current summary indexes in our environment were getting the data from a particular sourcetype. How can I do that and actually where can i check all the summary indexes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pavanae, the docs here have more information on summary indexing in general : http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usesummaryindexing
Concerning the sourcetype, all data that is summary indexed gets the stash sourcetype. The original sourcetype is preserved in the orig_sourcetype fields, and so you could figure out what sourcetypes are being put into summary indexes by running:
sourcetype=stash | stats count by orig_sourcetype
Please let me know if this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But the stats count will only work if there is data in the index. How can you tell whether an empty index is a summary index or not?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can check whether it's a "real" index in indexes.conf...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, exactly:
index=* sourcetype=stash | stats count BY orig_sourcetype
