Knowledge Management

Summary Index and Field

sabey
New Member

Hi,

Maybe I did't understand the documentation. I did a summery index from a query built in my main index. In my main Index I have tons of field like USERID, FIRSTNAME, etc.. some are binded to lookup table.

I don't know why I lost all of them in the summary index, even the basic field. It looks like the Splunk does understand the line anymore and only shows very fews fields in the left side. There is not a lot of options in the GUI so I don't know if it is maybe something I have to do under the hood, directly in the ascii file like the transform file.

Thanks

Tags (1)
0 Karma

jtrucks
Splunk Employee
Splunk Employee

Is your question specifically why Splunk does not autoextract the fields that do exist in the data in the summary index? For example, the summary index has a line with "user=joe action=jump" but there are no "user" or "action" fields available for searching.

--
Jesse Trucks
Minister of Magic
0 Karma

lguinn2
Legend

First, I hope you looked at this in the documentation: Use Summary Indexing

The very short explanation is this:

  1. Run a "populating search". The populating search runs on a schedule, calculates some summary statistics and stores them in a summary index. For example, you could run a search every hour that counts up the number of errors by server for that hour, and then saves that information. Note that you are summarizing the data - only the fields that you summarize will exist in the summary index. In the example, you will have a count of the errors and a host field - that's it. Here is an example populating search (named popSearch):

    index=main error* | sistats count by host

  2. Run a "reporting search". After you have some data in the summary index, you can write a search to retrieve it and make any final calculations. Note that you MUST retrieve it as you stored it: in the example, we stored an error count by host - and that is exactly what we must retrieve.

    index=summary search_name=popSearch | stats count by host
    If you wanted to report based on other fields than host, you must include them as part of the populating search in step 1.

Hope this helps!

Chinmai
Explorer

Hi,

I did the same thing for summary indexing as you mentioned above, but i am getting the count value double the original value. Any idea how is this happening?

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...