Knowledge Management

How to edit my search to create a summary index?

jihoon
New Member

I am trying to make a summary index for data in April 2014.

Using the current default search and joins, and to query more than 25 GB of data takes more than 35 seconds of time.

I want to use a summary index to reduce the amount of time used in the search.

index=mail-bak sourcetype=MiMailData earliest="04/01/2014:00:00:00" latest="04/30/2014:24:00:00" MailType=0 OR MailType=1 OR MailType=2 | where isnull(MailCc)
| join MailUID [search index=vpn sourcetype=accesslog earliest="05/01/2014:00:00:00" latest="05/01/2014:24:00:00" | stats count as VpnAccessCount by USER_ID | eval MailUID = USER_ID ] 
| eval testYn = if( match( MailTo , MailFrom ), "Y", "N")
| eval testYn2 = if( match( MailTo , ","), "Y", "N") | search testYn = "Y" AND testYn2 = "N" 
| stats count as SendWeekCount by MailUID VpnAccessCount | rename MailUID as MailTo
| table MailTo SendWeekCount VpnAccessCount

Where's the part that is included in the search command?

What time zone settings?

In addition to setting the part?

Answer please. Thank you.

Tags (1)
0 Karma

masonmorales
Influencer

I think this is what you are looking for:

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect

You add "| collect index="mysummaryindex" to the end of your search.

Time zone is the server's time zone by default. This is often GMT but you can do index=* | head 1 | table _time and compare it to your current (local) time to find out.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Have you evaluated report acceleration vs. summary indexing? See Overview of summary-based search and pivot acceleration in the Knowledge Manager Manual for more information.

For instructions about the reporting commands that populate a summary index, such as sistats, as well as other background information you can use to determine whether a summary index is what you need, see Use summary indexing for increased reporting efficiency, also in the Knowledge Manager Manual.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...