Knowledge Management
Highlighted

Summary Index Reports

Motivator

Hi, I wonder whether someone could help me please.

I've put together the search below to create a Summary Index

tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  | eval shortForm='detail.formId'."  " | eval shortForm =  substr(shortForm, 1, 6) | sort 0  detail.messageId  | dedup detail.messageId  | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

The problem I now have is trying to retrieve the results I know that I need to use "index=summary source="SA Tester" at the beginning of the query but despite several combinations I can't retrieve the results.

I've managed a very simple example of this, but this is more complicated than the tutorials I've been using.

I just wondered whether someone may be able to look at this and let me know where I'm going wrong.

Many thanks and kind regards

Chris

Tags (1)
0 Karma
Highlighted

Re: Summary Index Reports

Esteemed Legend

Is your populating search really named EXACTLY Index Report Name?
Is your populating search enabled?
Did you click Enable under Summary Indexing?
What index did you put in the Select the Summary Index field (is it really summary)?
Are you using that same index in your search?
Are you running your search on the same Search Head that is running the populating search (maybe behind a VIP to more than 1 Search Head)?

0 Karma
Highlighted

Re: Summary Index Reports

Motivator

Hi @woodcock, thank you for taking the time to come back to me with this.

In answer to your questions:

  • Original post edited to reflect true name of report.
  • Yes the populating search is enabled.
  • Yes, when I set up the scheduled search I enabled 'Summary Indexing'
  • Yes the index is called "summary"
  • I can confirm that I'm able to see the events so I think but it's just putting this into the chart which appears to be the problem.

  • I must admit I'm not soo sure what the answer is here. All I can say is that using a simple query I've been able to retrieve the 'Summary Index' results, and I've followed the same method.

I hope this helps.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Summary Index Reports

Motivator

Hi, for those who may be intereseted, I've now got this to work.

This is the query I use in the scheduled report:

index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  
| eval shortForm='detail.formId'."  " 
| eval shortForm =  substr(shortForm, 1, 6) 
| sort 0  detail.messageId  
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" 
| sichart count by shortForm

And the following is how I retrieve the figures:

index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

I hope this helps.

Many thanks and kind regards

Chris

View solution in original post

0 Karma