Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

doing a summary index - getting started - my first time

HattrickNZ
Motivator
‎04-05-2016 03:02 PM

I have a search 

...|timechart span=d sum(kpi1) sum(kpi2) max(kpi3) max(kpi4) | 
foreach * [eval <<FIELD>>=round('<<FIELD>>',2)]

that gives me the following:(this is saved as a report and then I go to Settings > Searches, Reports, and Alerts. Find the saved report and here is where I can setup my summary index)

    _time   sum(kpi1)   sum(kpi2)   max(kpi3)   max(kpi4)
1   2015-04-27  2063.31 8674.09 2104.23 499.82
2   2015-04-28  2480.92 7945.15 1931.56 701.35
3   2015-04-29  1969.85 6383.18 2072.72 695.52
4   2015-04-30  3443.03 10555.85    2077.22 755.18
5   2015-05-01  2698.94 8018.81 1985.91 726.87
6   2015-05-02  2680.29 9171.90 2085.58 654.53
...
342 2016-04-02  11162.27    16281.40    2235.12 1653.27
343 2016-04-03  10437.93    15564.98    2082.37 1573.27
344 2016-04-04  11110.42    14474.52    2182.29 1888.99
345 2016-04-05  11336.11    14378.96    2079.45 1862.88

I would like to set up a summary index but am unsure how to do it. I am doing some reading here.
But i am finding it a bit lacking so here I am asking the question and also hope to document how i get it to work which might complement the documentation.

The search and the output above is what I am trying to achieve. Now how do i do this using summary indexes?

**1. I have to get the summary index to have daily values since 2015-04-27 to now.
**2. i have to get the summary index to have daily values going forward from now.

that way, if my understanding is correct I will have something like, index=summary report=description_day_summary | which will give me the output above.

Now below are the options available to me when setting up this summary indexing.

Based on what I have said so far, can anyone advise what settings I have to work with or what settings I should ignore?
To get to the below images i have a saved report and then I go to Settings > Searches, Reports, and Alerts. find the saved report and here is where I can setup my summary index.

creating summary index options1

creating summary index options2

Regarding 2 above (2. i have to get the summary index to have daily values going forward from now. ).
**TimeRange
i would imagine I have to set up the search to be scheduled daily for a starttime of -1d@d to a endtime of @d.
Acceleration
Don't plan to use
Schedule and Alert
set up a schedule daily to get the previous days value.
Alert
Don't plan to use
Alert Action
nothing important here but i might get an email sent initially just to show that it is working
Summary Indexing
here i will leave the index as summary and i will add a field like report=description_day_summary, that way to get the summay data that I want I would do index=summary report=description_day_summary |

Regarding 1 above (**1. I have to get the summary index to have daily values since 2015-04-27 to now.)
I am unsure how to do this or if it can be done. my concern is what will the timesamp be _time

other similar topics here
https://answers.splunk.com/answers/186687/cant-get-started.html?utm_source=typeahead&utm_medium=newq...
https://answers.splunk.com/answers/67041/how-do-i-test-whether-the-summary-index-is-working.html?utm...
https://answers.splunk.com/answers/48641/summary-index-noob-question.html?utm_source=typeahead&utm_m...
https://answers.splunk.com/answers/8849/summary-index-and-backfill-doing-reports-on-the-original-tim...
https://answers.splunk.com/answers/138685/summary-indexing.html?utm_source=typeahead&utm_medium=newq...
https://answers.splunk.com/answers/5697/how-do-i-maintain-quality-of-the-summary-index.html?utm_sour...
https://answers.splunk.com/answers/24244/my-first-summary-index-what-am-i-doing-wrong-with-the-stats...
https://answers.splunk.com/answers/8365/summary-index-best-practice.html?utm_source=typeahead&utm_me...

Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2016 03:29 PM

Set your search to run from -d@d to @d and schedule it to run every morning/night. That'll take care of any future values.

Then, read http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Managesummaryindexgapsandoverlaps#Use_th... and backfill old data accordingly.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-05-2016 03:29 PM

Set your search to run from -d@d to @d and schedule it to run every morning/night. That'll take care of any future values.

Then, read http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Managesummaryindexgapsandoverlaps#Use_th... and backfill old data accordingly.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-05-2016 01:23 PM

If this solved your question please do mark the answer as accepted.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-06-2016 06:30 PM

The timestamp will be retained as whatever your summarizing search put into _time. Protip: Make a testing summary index, run summary search, look at results.

The additional fields can help for example when you group several summarizing searches into one report - much easier to use groupingfield=foo than a list of search_name=. If you're just referring to one search's output, you can also use the source field for faster filtering.

Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-05-2016 07:15 PM

if i do that will index=summary report=description_day_summary | give me the output that i want? Or will I have to do something like index=summary report=description_day_summary | stats values(*) as * I am just wondering what the the timestamp(_time) will be here?

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-05-2016 08:19 PM

what is the point of the add fields under Summary Indexing? As I understand, if I add the field report=description_day_summary I could then use this search on my summary index.

index=summary report=description_day_summary |

But is there any point really if i can do this by the search name?

"index=summary search_name="description_day_summary" |

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...