Knowledge Management

Can you help me incorporate my search into a summary Index?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I'm using the following query:

(`company_wmf(Login)` authentication=Success) OR (`login-frontend_wmf(Login)` authentication=Success) OR | eval "X-sessionId"=coalesce('tags.X-Session-ID', sessionId) | eval time=strftime(earliest_time, "%d/%m/%Y %H:%M:%S") | eval endtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | eval PTA=if('tags.path'="/account",1,"") | stats earliest(time) as time latest(endtime) as endtime values(test) as test by X-sessionId | search login=PTA login=G test!=""

I'm now wanting to incorporate this into extracting the data into a summary Index.

I've read a lot of documentation and posts, which do seem to contradict each other, so could someone tell me please, would I need to change the query so I can then use the stats portion of the query in a dashboard panel, but pulling the data from the SI?

Many thanks and kind regards

Chris

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

What's your use case? do you want to store data in summary index, so you can improve performance and save minimal [ summary data] to summary index and then query the summary index in the dashboard? If yes, you can schedule a search to write to summary index and query in dashboard.

On the other hand, if your search works fine and all you do is dashboard improvements, you can have your search as 'base search' which can be used to power one or more panels giving better performance

Hope you have looked at the below:

https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Usesummaryindexing

https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/Savedsearches

View solution in original post

0 Karma

ashajambagi
Communicator

Summary indexing is mainly to speed up the searching by filtering the required data which will be fulfilled by using transforming command.
Schedule a report and enable summary indexing on it. You can perform further search on the si data.

lakshman239
SplunkTrust
SplunkTrust

What's your use case? do you want to store data in summary index, so you can improve performance and save minimal [ summary data] to summary index and then query the summary index in the dashboard? If yes, you can schedule a search to write to summary index and query in dashboard.

On the other hand, if your search works fine and all you do is dashboard improvements, you can have your search as 'base search' which can be used to power one or more panels giving better performance

Hope you have looked at the below:

https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Usesummaryindexing

https://docs.splunk.com/Documentation/Splunk/7.2.4/Viz/Savedsearches

0 Karma

IRHM73
Motivator

Hi @lakshman239 . Thank you for coming back to me with this.

My use case is the former. i.e. improve performance and then query the dashboard.

Yes I'd looked at the guidance, but my confusion was around the transforming commands. I'd read some documentation/posts which suggested to use them in the query populating the SI with data, whereas as some said not to.

Many thanks and kind regards

Chris

0 Karma

lakshman239
SplunkTrust
SplunkTrust

generally, you want to have a minimal data stored in summary index over a long period of time. So, using the transforming command helps in achieving that goal and is quicker. if the number of results returned by your scheduled search for (summary gen search) is not much, you may be able to live with not using transforming command [ but not a good practice]. So, in summary, yes, you can use your search as a summary gen search [including stats] and store the results in summary index. You can then have another query in your dashboard to directly get the results that you need for your time period, with less/minimal manipulation.

0 Karma

IRHM73
Motivator

Hi @lakshman239. Many thanks for your help.

Kindest Regards

Chris

0 Karma

lakshman239
SplunkTrust
SplunkTrust

If you are happy with content chris, pls accept the comment/answer .

0 Karma

IRHM73
Motivator

Hi. Because your comment is a comment and not an answer I can't accept it.

If you want to change it I'd be more than happy to accept.

Regards

Chris

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...