Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a summary index?

soundchaos
Path Finder
‎08-19-2014 08:43 AM

I read all the splunk documentation for setting up a summary index, and I followed it as best I could, but I cant get results when I try to search against it.

My search: index="summary" search_name="404_logs"

but my search is not even listed in any indexes with index="summary*"

If I go to settings>knowledge>searches, reports, and alerts,
It shows my 404_logs search that I am trying to set up as a summary index, and it has 0 alerts.
(it has been over 24 hours since I set it up)

In that search, it is configured as follows:

SEARCH: index="is_logs" source="mysite.com" sc_status = 404
DESCRIPTION: Summary Index of 404 errors
Not accelerated
SCHEDULE: -1y to now, basic, every day at midnight.
ALERT: Condition - Always, alert mode - once per search, no throttling, 24 hour expiration, medium severity
ALERT ACTIONS: All disabled
SUMMARY INDEXING: Enabled, index - summary, add fields - blank

I'm not sure if I am trying to search against it improperly, or if it is not set up right. edit: My eventual goal is to be able to easily pull up a time chart of 404 errors within the last year, because without using summary indexing, the search takes over an hour to complete on the dashboard every time the page is loaded, and I need to use the 404 error data in other searches as well.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-19-2014 09:11 AM

I see following possible issue with your summary index search configuration (not necessarily for the issue that you're facing):

1) The SEARCH is not summarizing anything. You should use the some aggregate command to summarize data so that later when you use index=summary it has to retrieve/process less data.

2) The time range for search should be according to schedule. e.g. for daily schedule, it should select last 1 day data, else you will have duplicates.

My suggestion would be (based on the requirement that you need the summary for timechart).

SEARCH: index="is_logs" source="mysite.com" sc_status = 404 | timechart span=1h count
DESCRIPTION: Summary Index of 404 errors
Not accelerated
TIMERAGNE: -1d@d to @d, 
SCHEDULE: basic, every day at midnight.
ALERT: Condition - Always, alert mode - once per search, no throttling, 24 hour expiration, medium severity
ALERT ACTIONS: All disabled
SUMMARY INDEXING: Enabled, index - summary, add fields - blank

To get data for last year, you should backfill the summary index.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Managesummaryindexgapsandoverlaps

View solution in original post

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...