Hello
I'm trying to create a summary index. I scheduled a search and edited the summary index but I could not do the new search in the results that I have already obtained in the scheduled searches
I have already an index and I selected it as summary index.
But after the scheduled research run I make a research about this index but I have always 0 event while the results of research isn't 0 event
Hi @hrached,
ok, at the end of the scheduled search you have to add:
The command that adds the search results to the summary index is "collect" that's missing in your search.
As you can read at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect, you have to add at the end of your search:
your_search
| collect index=your_summary_index
in this way your search results will be in the summary index.
Ciao.
Giuseppe
I have already do that I think
Hi @hrached,
as you can read at https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Setupsummaryindexes and https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configuresummaryindexes to use a summary index you have to:
In this way you'll have the search results in the summary index.
What's the problem you encountered?
Ciao.
Giuseppe