Reporting

How does a report behave with summary index?

akarivaratharaj
Communicator

I have a report 'X' which is scheduled to run at a certain interval of time. According to the search query used in the report 'X', it returns the respective results. The summary indexing is also enabled to Index the data events whenever the report 'X' search query runs.

Now I would like to know how my report 'X' behaves if I just directly open it to view. Because my report is set to Index under Summary indexing. So if I open my Report 'X' to view the results of their respective search, will it gives me the result or the results can be seen only when I traverse through the Summary index (and its respective source/sourcetype).

Could anyone please clarify the above?

0 Karma

renjith_nair
Legend

The result of your report is only depends on the normal indexes unless the 'report search' itself has a reference to the summary index (for eg:exclusion of some results which is already in summary) . So when you open the report X manually to see the results, its searching your normal index.

References: https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Usesummaryindexing#Summary_indexing_use...

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...