- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Summary Index Reports
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone could help me please.
I've put together the search below to create a Summary Index
tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | dedup detail.messageId | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
The problem I now have is trying to retrieve the results I know that I need to use "index=summary source="SA Tester" at the beginning of the query but despite several combinations I can't retrieve the results.
I've managed a very simple example of this, but this is more complicated than the tutorials I've been using.
I just wondered whether someone may be able to look at this and let me know where I'm going wrong.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, for those who may be intereseted, I've now got this to work.
This is the query I use in the scheduled report:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| sort 0 detail.messageId
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId"
| sichart count by shortForm
And the following is how I retrieve the figures:
index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
I hope this helps.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, for those who may be intereseted, I've now got this to work.
This is the query I use in the scheduled report:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| sort 0 detail.messageId
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId"
| sichart count by shortForm
And the following is how I retrieve the figures:
index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
I hope this helps.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your populating search really named EXACTLY Index Report Name?
Is your populating search enabled?
Did you click Enable under Summary Indexing?
What index did you put in the Select the Summary Index field (is it really summary)?
Are you using that same index in your search?
Are you running your search on the same Search Head that is running the populating search (maybe behind a VIP to more than 1 Search Head)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @woodcock, thank you for taking the time to come back to me with this.
In answer to your questions:
- Original post edited to reflect true name of report.
- Yes the populating search is enabled.
- Yes, when I set up the scheduled search I enabled 'Summary Indexing'
- Yes the index is called "summary"
I can confirm that I'm able to see the events so I think but it's just putting this into the chart which appears to be the problem.
I must admit I'm not soo sure what the answer is here. All I can say is that using a simple query I've been able to retrieve the 'Summary Index' results, and I've followed the same method.
I hope this helps.
Many thanks and kind regards
Chris
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
