I'm trying to dig deeper into summary indexing, but at this point I feel a bit confused.
What I did so far is:
- created an index to use for summaries (to not to use the built in summary)
- stored some of my search results with collect: | collect index=my_summary_index sourcetype=my_summary_sourcetype
I was looking at the si-commands, sistats in the first place.
What I don't get is, how do I store the results from sistats in a summary index?
Do I have to add collect to after sistats, or I can't use it in an inline search, and I have to schedule it and enable summary indexing for the report?
You don't have to do anything with
si- commands if you don't want. The
collect method you used is fine as long as you have defined the summary sourcetype. The use of
si- commnands comes down to your specific use case and the type of summary data you are using.
collect command is taking care of writing to the summary index, and it just writes whatever you tell it to write.
si- commands are special commands that prepare data before writing the data to a summary index or in global searches when doing post-processing searches
There is nothing that says you have to use the
si- commands before writing to a summary index - it is only a suggested method for certain cases.
I do exactly what you did in my certified app.
So let me put it this way:
This time, I would like to use si-commands, I just don't get, what is the recommended way to route the output from the sistats or similar commands to an arbitrary summary index.
If you are using the savedsearch interface/settings manager, you would create your search with the desired
si- command at the end, and then you would enable summary indexing in the saved search UI settings. You would not use
collect anywhere in your SPL search.
You can see the summary indexing options in the savedsearches.conf file spec here http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf. At a minimum, you would need to add the following to your local savedsearches.conf. You can do this in the savedsearch UI if you don't want to edit the config files.
action.summary_index = 1
The savedsearch settings take care of storing the data in the summary index.
So if you create a savedsearch that looks like
index=foo ... | ... | sistats sum(bar) by host
And you turn on the settings in the savedsearch from the earlier comment, Splunk will automatically write the output of the
sistats command to the summary index you specify in the settings.
Basically, you do not need
collect if you turn on the savedsearch settings to tell it to write to the summary index.