Knowledge Management

doing a summary index - getting started - my first time

HattrickNZ
Motivator

I have a search

...|timechart span=d sum(kpi1) sum(kpi2) max(kpi3) max(kpi4) | 
foreach * [eval <<FIELD>>=round('<<FIELD>>',2)] 

that gives me the following:(this is saved as a report and then I go to Settings > Searches, Reports, and Alerts. Find the saved report and here is where I can setup my summary index)

    _time   sum(kpi1)   sum(kpi2)   max(kpi3)   max(kpi4)
1   2015-04-27  2063.31 8674.09 2104.23 499.82
2   2015-04-28  2480.92 7945.15 1931.56 701.35
3   2015-04-29  1969.85 6383.18 2072.72 695.52
4   2015-04-30  3443.03 10555.85    2077.22 755.18
5   2015-05-01  2698.94 8018.81 1985.91 726.87
6   2015-05-02  2680.29 9171.90 2085.58 654.53
...
342 2016-04-02  11162.27    16281.40    2235.12 1653.27
343 2016-04-03  10437.93    15564.98    2082.37 1573.27
344 2016-04-04  11110.42    14474.52    2182.29 1888.99
345 2016-04-05  11336.11    14378.96    2079.45 1862.88

I would like to set up a summary index but am unsure how to do it. I am doing some reading here.
But i am finding it a bit lacking so here I am asking the question and also hope to document how i get it to work which might complement the documentation.

The search and the output above is what I am trying to achieve. Now how do i do this using summary indexes?

**1. I have to get the summary index to have daily values since 2015-04-27 to now.
**2. i have to get the summary index to have daily values going forward from now.

that way, if my understanding is correct I will have something like, index=summary report=description_day_summary | which will give me the output above.

Now below are the options available to me when setting up this summary indexing.

Based on what I have said so far, can anyone advise what settings I have to work with or what settings I should ignore?
To get to the below images i have a saved report and then I go to Settings > Searches, Reports, and Alerts. find the saved report and here is where I can setup my summary index.

creating summary index options1

creating summary index options2

Regarding 2 above (2. i have to get the summary index to have daily values going forward from now. ).
**TimeRange

i would imagine I have to set up the search to be scheduled daily for a starttime of -1d@d to a endtime of @d.
Acceleration
Don't plan to use
Schedule and Alert
set up a schedule daily to get the previous days value.
Alert
Don't plan to use
Alert Action
nothing important here but i might get an email sent initially just to show that it is working
Summary Indexing
here i will leave the index as summary and i will add a field like report=description_day_summary, that way to get the summay data that I want I would do index=summary report=description_day_summary |

Regarding 1 above (**1. I have to get the summary index to have daily values since 2015-04-27 to now.)
I am unsure how to do this or if it can be done. my concern is what will the timesamp be _time

other similar topics here
https://answers.splunk.com/answers/186687/cant-get-started.html?utm_source=typeahead&utm_medium=newq...
https://answers.splunk.com/answers/67041/how-do-i-test-whether-the-summary-index-is-working.html?utm...
https://answers.splunk.com/answers/48641/summary-index-noob-question.html?utm_source=typeahead&utm_m...
https://answers.splunk.com/answers/8849/summary-index-and-backfill-doing-reports-on-the-original-tim...
https://answers.splunk.com/answers/138685/summary-indexing.html?utm_source=typeahead&utm_medium=newq...
https://answers.splunk.com/answers/5697/how-do-i-maintain-quality-of-the-summary-index.html?utm_sour...
https://answers.splunk.com/answers/24244/my-first-summary-index-what-am-i-doing-wrong-with-the-stats...
https://answers.splunk.com/answers/8365/summary-index-best-practice.html?utm_source=typeahead&utm_me...

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Set your search to run from -d@d to @d and schedule it to run every morning/night. That'll take care of any future values.

Then, read http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Managesummaryindexgapsandoverlaps#Use_th... and backfill old data accordingly.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Set your search to run from -d@d to @d and schedule it to run every morning/night. That'll take care of any future values.

Then, read http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Managesummaryindexgapsandoverlaps#Use_th... and backfill old data accordingly.

martin_mueller
SplunkTrust
SplunkTrust

If this solved your question please do mark the answer as accepted.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The timestamp will be retained as whatever your summarizing search put into _time. Protip: Make a testing summary index, run summary search, look at results.

The additional fields can help for example when you group several summarizing searches into one report - much easier to use groupingfield=foo than a list of search_name=. If you're just referring to one search's output, you can also use the source field for faster filtering.

HattrickNZ
Motivator

if i do that will index=summary report=description_day_summary | give me the output that i want? Or will I have to do something like index=summary report=description_day_summary | stats values(*) as * I am just wondering what the the timestamp(_time) will be here?

0 Karma

HattrickNZ
Motivator

what is the point of the add fields under Summary Indexing? As I understand, if I add the field report=description_day_summary I could then use this search on my summary index.

index=summary report=description_day_summary |

But is there any point really if i can do this by the search name?

"index=summary search_name="description_day_summary" |

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...