Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to create a summary index?

jihoon
New Member
‎03-30-2015 12:38 AM

I am trying to make a summary index for data in April 2014.

Using the current default search and joins, and to query more than 25 GB of data takes more than 35 seconds of time.

I want to use a summary index to reduce the amount of time used in the search.

index=mail-bak sourcetype=MiMailData earliest="04/01/2014:00:00:00" latest="04/30/2014:24:00:00" MailType=0 OR MailType=1 OR MailType=2 | where isnull(MailCc)
| join MailUID [search index=vpn sourcetype=accesslog earliest="05/01/2014:00:00:00" latest="05/01/2014:24:00:00" | stats count as VpnAccessCount by USER_ID | eval MailUID = USER_ID ] 
| eval testYn = if( match( MailTo , MailFrom ), "Y", "N")
| eval testYn2 = if( match( MailTo , ","), "Y", "N") | search testYn = "Y" AND testYn2 = "N" 
| stats count as SendWeekCount by MailUID VpnAccessCount | rename MailUID as MailTo
| table MailTo SendWeekCount VpnAccessCount

Where's the part that is included in the search command?

What time zone settings?

In addition to setting the part?

Answer please. Thank you.

Tags (1)
0 Karma
Reply

masonmorales
Influencer
‎03-30-2015 01:38 PM

I think this is what you are looking for:

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Collect

You add "| collect index="mysummaryindex" to the end of your search.

Time zone is the server's time zone by default. This is often GMT but you can do index=* | head 1 | table _time and compare it to your current (local) time to find out.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎03-30-2015 01:16 PM

Have you evaluated report acceleration vs. summary indexing? See Overview of summary-based search and pivot acceleration in the Knowledge Manager Manual for more information.

For instructions about the reporting commands that populate a summary index, such as sistats, as well as other background information you can use to determine whether a summary index is what you need, see Use summary indexing for increased reporting efficiency, also in the Knowledge Manager Manual.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...