Knowledge Management
Highlighted

creating summary index

hi

i am new to splunk and unable to create summary indexing.

i have to create the timechart for volume gb serverd per last 2 hours, 24 hrs, per 7 days, per 30 days.
i am using the search
index="level8" | eval volumegb=VOLumeBytes/(102410241024) | timechart span=1min sum(volumegb)
when using for last 2 hrs
index="level8" | eval volumegb=VOLumeBytes/(102410241024) | timechart span=1hr sum(volumegb)
when using for last 24 hrs
index="level8" | eval volumegb=VOLumeBytes/(102410241024) | timechart span=1day sum(volumegb)
when using for last 7days and 30 days.

it is taking hrs to compute the values. so i planned to go for summary indexing. and scheduled the search to run every 5 mins. but i am not able to get the data using my summary index.

please let me know how can i use summary index to retrive the data..

Thansk

Tags (1)
0 Karma
Highlighted

Re: creating summary index

Splunk Employee
Splunk Employee

Have you read the documentation about summary indexing? See http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing and the topics that follow it. If you have followed those examples and are still running into trouble, please provide more information about your summary index configuration and the specific search you're trying to run on it.

0 Karma
Highlighted

Re: creating summary index

Hi chris Thanks for the response. i have gone through that doc..
there is 36 gb of data indexed. i created a new search
index="level8" | eval volumegb=VOLumeBytes/(102410241024) | timechart span=1min sum(volumegb) and scheduled it to run every 5 mins. also enabled the option summary indexing during the schedule and selected teh sumamry index level8 and saved it. now how can i use the summary index to get the caluclated values..

0 Karma
Highlighted

Re: creating summary index

Splunk Employee
Splunk Employee

Are you using the si* commands in your search?

0 Karma
Highlighted

Re: creating summary index

No I am not using any si commands in the search..

12:49:58.977 PM
2011-09-27 12:49:58.977 y "GET /prodcontent/dp20110408145319/04/dp2011040814531904_1249.ts HTTP/1.1" 24.22.94.578 2326789 b00007934003 {{623284}} 1026 206 "-" "-" "-" 393
this is my log file and {{623284}} is volume in bytes. i need to pick the volume bytes convert it to gb and display the volume in gb transferred with respect to time. for past 2 hrs(aggregate in mins), 24 hrs(aggregate in hrs), 7 (aggregate in days), 30 days..
so i am planning to use summary indexing and using the search command index="level8" | eval volumegb=VOLumeBytes/(102410241024) | timechart span=1min sum(volumegb)
if i have to use si command please let me know how to use it.

0 Karma
Highlighted

Re: creating summary index

Splunk Employee
Splunk Employee

I thought that might be the case, that's why I referred you to the documentation. "If you are new to summary indexing, use the summary indexing reporting commands (sichart, sitimechart, sistats, sitop, and sirare) when you define the search that will populate the summary index. If you use these commands you can use the same search string that you use for the search that you eventually run on the summary index, with the exception that you use regular reporting commands in the latter search."

0 Karma
Highlighted

Re: creating summary index

hi chris can you see the below answer i even tried with
index="level3" | eval volumegb=VOLumeBytes/(102410241024)| sistats sum(volumegb) also didnot work

sorry for bothering i am working on it for 18 hrs continously..

thanks

0 Karma
Highlighted

Re: creating summary index

problem with creating summary index

these are the different types of search values i tried for sumamry-index test3.

index=level3 | eval volumegb=VOLumeBytes/(102410241024)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | timechart sum(volumegb)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | sistats sum(volumegb)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | streamstats sum(volumegb)

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | timechart sum(volumegb) span=1min

but when i search from the summary index test3

index=test3 | timechart sum(volumegb) span=1min

I am not getting the caluclated values. it is caluclating again in sistats case. in other cases i am not finding any values for volumegb in the data chart.

or

please forget everything and let me know how to create summary index for a log like

2011-09-29 06:47:53.983 y "GET /prodcontent/dp20110428145216/04/dp2011042814521604_1437.ts HTTP/1.1" 14.10.172.446 2058629 b00001000003 444934 2896 206 "-" "-" "-" 392

where 444934 is the volume in bytes. and i need to show data volume in gb served per unit time for past 2 hrs, 24hrs, 7 days, 30day. i am able to caluclate it using the search command

index=level3 | eval volumegb=VOLumeBytes/(102410241024) | timechart sum(volumegb) span=1hr (for 24 hrs timeperiod unit time hrs)

but i am unable to get it from summary index.

Hi chris can you please look into this even thouh i am using sistats i am unable to get the data as required from summary index

0 Karma