Reporting
Highlighted

How does a report behave with summary index?

Path Finder

I have a report 'X' which is scheduled to run at a certain interval of time. According to the search query used in the report 'X', it returns the respective results. The summary indexing is also enabled to Index the data events whenever the report 'X' search query runs.

Now I would like to know how my report 'X' behaves if I just directly open it to view. Because my report is set to Index under Summary indexing. So if I open my Report 'X' to view the results of their respective search, will it gives me the result or the results can be seen only when I traverse through the Summary index (and its respective source/sourcetype).

Could anyone please clarify the above?

0 Karma
Highlighted

Re: How does a report behave with summary index?

SplunkTrust
SplunkTrust

The result of your report is only depends on the normal indexes unless the 'report search' itself has a reference to the summary index (for eg:exclusion of some results which is already in summary) . So when you open the report X manually to see the results, its searching your normal index.

References: https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Usesummaryindexing#Summary_indexing_use...

0 Karma