Knowledge Management

Summary indexing not working

a212830
Champion

Hi,

I have a job set up to create a summary index off the license data for longer term storage. The job ran, but my summary index is empty. Not sure why... here's my saved search:

[Hourly_License_byHost_Summary_Index]
action.email = 1
action.email.to = scott.bossi@fmr.com
action.email.useNSSubject = 1
action.summary_index = 1
action.summary_index._name = test
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -1y@d
cron_schedule = 0 0 * * *
description = Create hourly summary index for license info
dispatch.earliest_time = -1d@d
dispatch.latest_time = @d
display.general.timeRangePicker.show = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.patterns.sensitivity = 0.7
display.page.search.tab = statistics
display.visualizations.custom.donut.donut.drilldown = 1
display.visualizations.custom.donut.donut.log = 1
display.visualizations.custom.donut.donut.show_legend = 1
display.visualizations.custom.markdown.markdown.log = 0
display.visualizations.custom.scatterplot_matrix.scatterplot_matrix.log = 0
display.visualizations.custom.scatterplot_matrix.scatterplot_matrix.show_legend = 1
display.visualizations.custom.scatterplot_matrix.scatterplot_matrix.show_trend = 1
display.visualizations.custom.type = aplura_viz_donut.donut
display.visualizations.show = 0
display.visualizations.type = custom
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_app = search
request.ui_dispatch_view = search
schedule_window = 300
search = index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",
idx) | eval sourcetypename = st | bin _time span=1h | stats sum(b) as b by _time, pool, indexname, sourcetypename, h | eval 
GB=round(b/1024/1024/1024, 3) | fields _time, pool, indexname, sourcetypename, h, GB

----- Update

OK. Figured it out. Index didn't exist. Not sure why it didn't generate any messages for the search though... that's a bit strange.

That said, it's putting the entire event in the summary index. I just want certain fields - _time, pool, indexname, sourcetypename, h, GB - how would I do that?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you add your answer as the answer to your own question and then mark it as such?

Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

"it's putting the entire event in the summary index." Could you post the event that you get in your summary index? Even if you see the data in tabular form from your search, it will be stored as raw events (with fields appearing as key value pair with some additional info) in summary index.

0 Karma

Jeremiah
Motivator

Instead of fields try | table _time, pool, indexname, sourcetypename, h, GB ?

a212830
Champion

Thanks. Not sure if this is normal... I get the following, which has the fields but also a bunch of other stuff. I was expecting just the fields that I stated:

06/16/2016 23:00:00 -0400, search_name=Hourly_License_byHost_Summary_Index, search_now=1466172480.000, info_min_time=1466049600.000, info_max_time=1466136000.000, info_search_time=1466172481.206, GB="0.000", h="abcdef0806n.fmr.com", indexname=summary, pool=auto_generated_pool_enterprise, sourcetypename=meta_woot

0 Karma

Jeremiah
Motivator

The additional fields search_now, info_min_time, etc., are inserted by the summary indexing command, so that's normal.

sloshburch
Splunk Employee
Splunk Employee

Agreed - that all looks normal.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...