Hi, I wonder whether someone could help me please.
I've put together the search below to create a Summary Index
tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | dedup detail.messageId | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
The problem I now have is trying to retrieve the results I know that I need to use "index=summary source="SA Tester" at the beginning of the query but despite several combinations I can't retrieve the results.
I've managed a very simple example of this, but this is more complicated than the tutorials I've been using.
I just wondered whether someone may be able to look at this and let me know where I'm going wrong.
Many thanks and kind regards
Chris
Hi, for those who may be intereseted, I've now got this to work.
This is the query I use in the scheduled report:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| sort 0 detail.messageId
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId"
| sichart count by shortForm
And the following is how I retrieve the figures:
index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
I hope this helps.
Many thanks and kind regards
Chris
Hi, for those who may be intereseted, I've now got this to work.
This is the query I use in the scheduled report:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| sort 0 detail.messageId
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId"
| sichart count by shortForm
And the following is how I retrieve the figures:
index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
I hope this helps.
Many thanks and kind regards
Chris
Is your populating search really named EXACTLY Index Report Name
?
Is your populating search enabled
?
Did you click Enable
under Summary Indexing
?
What index
did you put in the Select the Summary Index
field (is it really summary
)?
Are you using that same index
in your search?
Are you running your search on the same Search Head that is running the populating search (maybe behind a VIP to more than 1 Search Head)?
Hi @woodcock, thank you for taking the time to come back to me with this.
In answer to your questions:
I can confirm that I'm able to see the events so I think but it's just putting this into the chart which appears to be the problem.
I must admit I'm not soo sure what the answer is here. All I can say is that using a simple query I've been able to retrieve the 'Summary Index' results, and I've followed the same method.
I hope this helps.
Many thanks and kind regards
Chris