Backfill summary index without original data?

alexiri · ‎06-21-2011

We used to have a system that aggregated accounting information from some log files and produced daily summaries. We have about 5 years' worth of this summary data.

Now we'd like to use Splunk to index the accounting logs and to produce daily summaries in a summary index. However, we'd also like to be able to import all our old summary data into the summary index. The fill_summary_index.py script doesn't help here because the original data is gone. Is there a way to do this?

mw · ‎06-21-2011

There's nothing special about a "summary index" except that the data it holds is summarized. If you have data that is already summarized you can just stuff it in any index (just create a new one) and use it just like you would any other data (i.e. index=accounting_data | timechart sum(income) by department).

alexiri · ‎06-22-2011

My summary index is built with sistats, so I'm not quite sure of what the internal format is like. Is there any description of it?

Backfill summary index without original data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation

Backfill summary index without original data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series