Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a summary index from the existing raw data to include the 13 fields in the attachment?

deepthi5
Path Finder
‎03-21-2017 09:13 AM

Need to create a summary index from the existing raw data to include the 13 fields in the attachment. The index needs to be created every 5 mins, 60 mins, and on a daily basis while being retained for a period of 13 months.

I would like to how to retain this for 13 months and is using stats is a correct method to include fields that i need?

Right now i have created the following savedsearches.conf 

[30159_cso_stratus_summaryindex]
action.summary_index = 1
action.summary_index._name = cso_stratus_summary
action.summary_index.report = cso_stratus_summaryindex
alert.digest_mode = True
alert.expires = 4h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */5 * * * *
description = summary index for cso stratus
dispatch.earliest_time = -5m
dispatch.latest_time = now
enableSched = 1
realtime_schedule = 0
search = search = index="iiiiiuiiiiiiiii" sourcetype="ssssjjsjsjsjjsjs"  |stats count by xxxx,yyyyy,azzzzzz,ccccc,cccc

[30159_cso_stratus_summaryindex]
action.summary_index = 1
action.summary_index._name = cso_stratus_summary
alert.digest_mode = True
alert.expires = 4h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */10 * * * *
description = summary index for cso stratus
dispatch.earliest_time = -10m
dispatch.latest_time = now
enableSched = 1
realtime_schedule = 0
search = index="iiiiiuiiiiiiiii" sourcetype="ssssjjsjsjsjjsjs"  |stats count by xxxx,yyyyy,azzzzzz,ccccc,cccc
0 Karma
Reply

andrey2007
Contributor
‎03-22-2017 07:30 AM

Hello, deepthi5

You can specify fields to write in summary index using | table command.
About retention period It could be specified in indexes.conf using parameter "frozenTimePeriodInSecs"
frozenTimePeriodInSecs = .

Reply

DalJeanis
SplunkTrust
SplunkTrust
‎03-28-2017 07:02 AM

Yes, use | stats to summarize to the level you want, and |table to eliminate all unnecessary fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...