Knowledge Management

creating summary index

splunkingsplunk
Explorer

hi

i am new to splunk and unable to create summary indexing.

i have to create the timechart for volume gb serverd per last 2 hours, 24 hrs, per 7 days, per 30 days.
i am using the search
index="level8" | eval volumegb=VOLumeBytes/(1024*1024*1024) | timechart span=1min sum(volumegb)
when using for last 2 hrs
index="level8" | eval volumegb=VOLumeBytes/(1024*1024*1024) | timechart span=1hr sum(volumegb)
when using for last 24 hrs
index="level8" | eval volumegb=VOLumeBytes/(1024*1024*1024) | timechart span=1day sum(volumegb)
when using for last 7days and 30 days.

it is taking hrs to compute the values. so i planned to go for summary indexing. and scheduled the search to run every 5 mins. but i am not able to get the data using my summary index.

please let me know how can i use summary index to retrive the data..

Thansk

Tags (1)
0 Karma

splunkingsplunk
Explorer

problem with creating summary index

these are the different types of search values i tried for sumamry-index test3.

index=level3 | eval volumegb=VOLumeBytes/(102410241024)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | timechart sum(volumegb)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | sistats sum(volumegb)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | streamstats sum(volumegb)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | timechart sum(volumegb) span=1min

but when i search from the summary index test3

index=test3 | timechart sum(volumegb) span=1min

I am not getting the caluclated values. it is caluclating again in sistats case. in other cases i am not finding any values for volumegb in the data chart.

or

please forget everything and let me know how to create summary index for a log like

2011-09-29 06:47:53.983 y "GET /prod_content/dp20110428145216/04/dp20110428145216_04_1437.ts HTTP/1.1" 14.10.172.446 2058629 b00001000003 444934 2896 206 "-" "-" "-" 392

where 444934 is the volume in bytes. and i need to show data volume in gb served per unit time for past 2 hrs, 24hrs, 7 days, 30day. i am able to caluclate it using the search command

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | timechart sum(volumegb) span=1hr (for 24 hrs timeperiod unit time hrs)

but i am unable to get it from summary index.

Hi chris can you please look into this even thouh i am using sistats i am unable to get the data as required from summary index

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Have you read the documentation about summary indexing? See http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing and the topics that follow it. If you have followed those examples and are still running into trouble, please provide more information about your summary index configuration and the specific search you're trying to run on it.

0 Karma

splunkingsplunk
Explorer

hi chris can you see the below answer i even tried with
index="level3" | eval volumegb=VOLumeBytes/(1024*1024*1024)| sistats sum(volumegb) also didnot work

sorry for bothering i am working on it for 18 hrs continously..

thanks

0 Karma

ChrisG
Splunk Employee
Splunk Employee

I thought that might be the case, that's why I referred you to the documentation. "If you are new to summary indexing, use the summary indexing reporting commands (sichart, sitimechart, sistats, sitop, and sirare) when you define the search that will populate the summary index. If you use these commands you can use the same search string that you use for the search that you eventually run on the summary index, with the exception that you use regular reporting commands in the latter search."

0 Karma

splunkingsplunk
Explorer

No I am not using any si commands in the search..

12:49:58.977 PM
2011-09-27 12:49:58.977 y "GET /prod_content/dp20110408145319/04/dp20110408145319_04_1249.ts HTTP/1.1" 24.22.94.578 2326789 b00007934003 {{623284}} 1026 206 "-" "-" "-" 393
this is my log file and {{623284}} is volume in bytes. i need to pick the volume bytes convert it to gb and display the volume in gb transferred with respect to time. for past 2 hrs(aggregate in mins), 24 hrs(aggregate in hrs), 7 (aggregate in days), 30 days..
so i am planning to use summary indexing and using the search command index="level8" | eval volumegb=VOLumeBytes/(1024*1024*1024) | timechart span=1min sum(volumegb)
if i have to use si command please let me know how to use it.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Are you using the si* commands in your search?

0 Karma

splunkingsplunk
Explorer

Hi chris Thanks for the response. i have gone through that doc..
there is 36 gb of data indexed. i created a new search
index="level8" | eval volumegb=VOLumeBytes/(1024*1024*1024) | timechart span=1min sum(volumegb) and scheduled it to run every 5 mins. also enabled the option summary indexing during the schedule and selected teh sumamry index level8 and saved it. now how can i use the summary index to get the caluclated values..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...