Hi ,
Is it possible to add a new source to an already existing summary index .
We have one source used for the summary index .
Any new source could be added possibly ??
Yes, a summary index can have many sources. Once an index exists, it is possible to direct many sources into it - this is true for regular indexes and summary indexes.
Yes, a summary index can have many sources. Once an index exists, it is possible to direct many sources into it - this is true for regular indexes and summary indexes.
how to add a new source to the summary index ?
That really depends on your use case. Probably the most common way is to feed into a summary index using saved searches or reports. Here are some good walk-through documents that should help you determine how to approach this:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usesummaryindexing
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configuresummaryindexes
@Mohsin123 use the new source in your collect statement. Instead of
| collect index=downloadcount
do this
| collect index=downloadcount source=mynewsource