Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

doing a summary index - getting started - my first time

HattrickNZ
Motivator
‎04-05-2016 03:02 PM

I have a search 

...|timechart span=d sum(kpi1) sum(kpi2) max(kpi3) max(kpi4) | 
foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]

that gives me the following:(this is saved as a report and then I go to Settings > Searches, Reports, and Alerts. Find the saved report and here is where I can setup my summary index)

    _time   sum(kpi1)   sum(kpi2)   max(kpi3)   max(kpi4)
1   2015-04-27  2063.31 8674.09 2104.23 499.82
2   2015-04-28  2480.92 7945.15 1931.56 701.35
3   2015-04-29  1969.85 6383.18 2072.72 695.52
4   2015-04-30  3443.03 10555.85    2077.22 755.18
5   2015-05-01  2698.94 8018.81 1985.91 726.87
6   2015-05-02  2680.29 9171.90 2085.58 654.53
...
342 2016-04-02  11162.27    16281.40    2235.12 1653.27
343 2016-04-03  10437.93    15564.98    2082.37 1573.27
344 2016-04-04  11110.42    14474.52    2182.29 1888.99
345 2016-04-05  11336.11    14378.96    2079.45 1862.88

I would like to set up a summary index but am unsure how to do it. I am doing some reading here.
But i am finding it a bit lacking so here I am asking the question and also hope to document how i get it to work which might complement the documentation.

The search and the output above is what I am trying to achieve. Now how do i do this using summary indexes?

**1. I have to get the summary index to have daily values since 2015-04-27 to now.
**2. i have to get the summary index to have daily values going forward from now.

that way, if my understanding is correct I will have something like, index=summary report=description_day_summary | which will give me the output above.

Now below are the options available to me when setting up this summary indexing.

Based on what I have said so far, can anyone advise what settings I have to work with or what settings I should ignore?
To get to the below images i have a saved report and then I go to Settings > Searches, Reports, and Alerts. find the saved report and here is where I can setup my summary index.

creating summary index options1

creating summary index options2

Regarding 2 above (2. i have to get the summary index to have daily values going forward from now. ).
**TimeRange
i would imagine I have to set up the search to be scheduled daily for a starttime of -1d@d to a endtime of @d.
Acceleration
Don't plan to use
Schedule and Alert
set up a schedule daily to get the previous days value.
Alert
Don't plan to use
Alert Action
nothing important here but i might get an email sent initially just to show that it is working
Summary Indexing
here i will leave the index as summary and i will add a field like report=description_day_summary, that way to get the summay data that I want I would do index=summary report=description_day_summary |

Regarding 1 above (**1. I have to get the summary index to have daily values since 2015-04-27 to now.)
I am unsure how to do this or if it can be done. my concern is what will the timesamp be _time

other similar topics here
https://answers.splunk.com/answers/186687/cant-get-started.html?utm_source=typeahead&utm_medium=newq...
https://answers.splunk.com/answers/67041/how-do-i-test-whether-the-summary-index-is-working.html?utm...
https://answers.splunk.com/answers/48641/summary-index-noob-question.html?utm_source=typeahead&utm_m...
https://answers.splunk.com/answers/8849/summary-index-and-backfill-doing-reports-on-the-original-tim...
https://answers.splunk.com/answers/138685/summary-indexing.html?utm_source=typeahead&utm_medium=newq...
https://answers.splunk.com/answers/5697/how-do-i-maintain-quality-of-the-summary-index.html?utm_sour...
https://answers.splunk.com/answers/24244/my-first-summary-index-what-am-i-doing-wrong-with-the-stats...
https://answers.splunk.com/answers/8365/summary-index-best-practice.html?utm_source=typeahead&utm_me...

Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2016 03:29 PM

Set your search to run from -d@d to @d and schedule it to run every morning/night. That'll take care of any future values.

Then, read http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Managesummaryindexgapsandoverlaps#Use_th... and backfill old data accordingly.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2016 03:29 PM

Set your search to run from -d@d to @d and schedule it to run every morning/night. That'll take care of any future values.

Then, read http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Managesummaryindexgapsandoverlaps#Use_th... and backfill old data accordingly.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-05-2016 01:23 PM

If this solved your question please do mark the answer as accepted.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-06-2016 06:30 PM

The timestamp will be retained as whatever your summarizing search put into _time. Protip: Make a testing summary index, run summary search, look at results.

The additional fields can help for example when you group several summarizing searches into one report - much easier to use groupingfield=foo than a list of search_name=. If you're just referring to one search's output, you can also use the source field for faster filtering.

Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-05-2016 07:15 PM

if i do that will index=summary report=description_day_summary | give me the output that i want? Or will I have to do something like index=summary report=description_day_summary | stats values(*) as * I am just wondering what the the timestamp(_time) will be here?

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-05-2016 08:19 PM

what is the point of the add fields under Summary Indexing? As I understand, if I add the field report=description_day_summary I could then use this search on my summary index.

index=summary report=description_day_summary |

But is there any point really if i can do this by the search name?

"index=summary search_name="description_day_summary" |

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...