Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me incorporate my search into a summary Index?

IRHM73
Motivator
‎02-22-2019 12:36 AM

Hi,

I wonder whether someone may be able to help me please.

I'm using the following query:

(`company_wmf(Login)` authentication=Success) OR (`login-frontend_wmf(Login)` authentication=Success) OR | eval "X-sessionId"=coalesce('tags.X-Session-ID', sessionId) | eval time=strftime(earliest_time, "%d/%m/%Y %H:%M:%S") | eval endtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | eval PTA=if('tags.path'="/account",1,"") | stats earliest(time) as time latest(endtime) as endtime values(test) as test by X-sessionId | search login=PTA login=G test!=""

I'm now wanting to incorporate this into extracting the data into a summary Index.

I've read a lot of documentation and posts, which do seem to contradict each other, so could someone tell me please, would I need to change the query so I can then use the stats portion of the query in a dashboard panel, but pulling the data from the SI?

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-22-2019 01:37 AM

What's your use case? do you want to store data in summary index, so you can improve performance and save minimal [ summary data] to summary index and then query the summary index in the dashboard? If yes, you can schedule a search to write to summary index and query in dashboard.

On the other hand, if your search works fine and all you do is dashboard improvements, you can have your search as 'base search' which can be used to power one or more panels giving better performance

Hope you have looked at the below:

https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Usesummaryindexing

https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/Savedsearches

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ashajambagi
Communicator
‎02-22-2019 02:12 AM

Summary indexing is mainly to speed up the searching by filtering the required data which will be fulfilled by using transforming command.
Schedule a report and enable summary indexing on it. You can perform further search on the si data.

Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-22-2019 01:37 AM

What's your use case? do you want to store data in summary index, so you can improve performance and save minimal [ summary data] to summary index and then query the summary index in the dashboard? If yes, you can schedule a search to write to summary index and query in dashboard.

On the other hand, if your search works fine and all you do is dashboard improvements, you can have your search as 'base search' which can be used to power one or more panels giving better performance

Hope you have looked at the below:

https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Usesummaryindexing

https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/Savedsearches

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-22-2019 01:43 AM

Hi @lakshman239 . Thank you for coming back to me with this.

My use case is the former. i.e. improve performance and then query the dashboard.

Yes I'd looked at the guidance, but my confusion was around the transforming commands. I'd read some documentation/posts which suggested to use them in the query populating the SI with data, whereas as some said not to.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-22-2019 01:52 AM

generally, you want to have a minimal data stored in summary index over a long period of time. So, using the transforming command helps in achieving that goal and is quicker. if the number of results returned by your scheduled search for (summary gen search) is not much, you may be able to live with not using transforming command [ but not a good practice]. So, in summary, yes, you can use your search as a summary gen search [including stats] and store the results in summary index. You can then have another query in your dashboard to directly get the results that you need for your time period, with less/minimal manipulation.

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-22-2019 01:56 AM

Hi @lakshman239. Many thanks for your help.

Kindest Regards

Chris

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-22-2019 02:04 AM

If you are happy with content chris, pls accept the comment/answer .

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-22-2019 02:10 AM

Hi. Because your comment is a comment and not an answer I can't accept it.

If you want to change it I'd be more than happy to accept.

Regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...