Knowledge Management

summary indexing data

hi i am using the below query to summary index

index=level3 earliest=+285min latest=+300min | eval volumegb=volumebytes/(102410241024) | sitimechart sum(volumegb),distinct_count(ipaddr) span=1min

for every 15 mins, new log file will be added to level3 indexing and that file consists of data varying from next 50 mins to next 6 hrs.

so the above summary indexing dont work as new data will be added to level3 index for various time intervals. but the data is added to level3 index from a single file for every 15 mins

is there any way i can summary index new data from index level3


0 Karma

Splunk Employee
Splunk Employee

First : you shouldn't summarize your data until all your events are indexed.

Or you want to consolidate your summaries, you will have to :

Thanks for the reply YannK. but depending on my summary index data. our developer is trying to show graph values like amount of gb served for past 2hrs, 24 hrs 7 days. so i f ihave to delete 7 hrs of data and sumamry index it again his graph will be missing data for that time. is there any way i can summary-index only new events indexed by level3(index) in particular time period(time period it indexed the data) not the event time period. sorry if it is a dumb question..

0 Karma