Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Backfill summary index without original data?

alexiri
Communicator
‎06-21-2011 03:27 AM

We used to have a system that aggregated accounting information from some log files and produced daily summaries. We have about 5 years' worth of this summary data.

Now we'd like to use Splunk to index the accounting logs and to produce daily summaries in a summary index. However, we'd also like to be able to import all our old summary data into the summary index. The fill_summary_index.py script doesn't help here because the original data is gone. Is there a way to do this?

Tags (3)
Reply

mw
Splunk Employee
Splunk Employee
‎06-21-2011 03:08 PM

There's nothing special about a "summary index" except that the data it holds is summarized. If you have data that is already summarized you can just stuff it in any index (just create a new one) and use it just like you would any other data (i.e. index=accounting_data | timechart sum(income) by department).

Reply

alexiri
Communicator
‎06-22-2011 01:45 AM

My summary index is built with sistats, so I'm not quite sure of what the internal format is like. Is there any description of it?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...