So after having used Splunk for over a year now, I'm finally getting around to doing my first summary index-based search and it's not working. Clearly I'm missing something that's probably obvious, but I can't figure out what it is.
I had started with the following search
tag=p*aps* source=*/access.log | stats count AS HTTP_Operations sum(bytes_received) AS bytes_received_total sum(bytes_sent) AS bytes_sent_total BY host| eval MBytes_Total = round((( bytes_sent_total + bytes_received_total ) / 1048576), 2) | eval MBytes_Sent = round((bytes_sent_total / 1048576),2) | eval MBytes_Received = round((bytes_received_total / 1048576),2) | fields host, HTTP_Operations, MBytes_Sent, MBytes_Received, MBytes_Total
which works great run by itself. I read the docs and understand that I have to drop the eval's. So I whittled this down to
tag=p*aps* source=*/access.log | sistats count AS HTTP_Operations sum(bytes_received) AS bytes_received_total sum(bytes_sent) AS bytes_sent_total BY host
I made this a scheduled search to collect this information for yesterday (start -1d@d, end @d) and scheduled to run every day at 10 minutes after midnight. I do not have the enable summary indexing box checked in the scheduled search because I thought I'd understood that the "sistats" command itself would generate the summary data.
So this search runs according to job monitor, but nothing ever shows up in the summary index. In fact, according to the index page under Manager, my summary index hasn't had a new event added in 6 days.
What am I doing wrong?
Simply, you need to check the "enable summary indexing" checkbox.
sistats will generate the data, but will not write it to the summary index.
That was it. What I'd understood from the docs was that using "sistats" alone was signalling Splunk that this was a summary index related search. I thought that ticking the enable summary indexing checkbox would handle the details if say you used "stats" instead of "sistats".
Thanks very much, Gerald.