Splunk Enterprise

How to create a summary index for this scenario

cheriemilk
Path Finder

Hi team,

I have below query to search out all raw data and out put to a table format:

index=testIndex AND
sourcetype=testType AND ACT!="-" AND "DT=MANUALEVENT" AND C_PG="DEVELOPMENT_GOAL_V2" OR C_PG="PERFORMANCE_GOAL_V2"
| table _time, SFDC, CMN, CMID, CIP, SID, PUID, UID, MID, PID, C_PG,C_SPG, ACT

There're 6 different metrics/panels  in the dashboard to stats based on this query result,   

Question:

How  to create the summary index based on above query? I found that all the summary index command are  below 5 si commands per this official document  https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Usesummaryindexing , and I can't figure out which one to use  to match my scenario.

sichart

sitimechart

sistats,

sitop,

sirare

0 Karma

nickhills
Ultra Champion

To use the si commands you need to build a search which works with a normal transforming command (stats,timechart etc) first

Then you can replace "stats" with "sistats". This will create summarised data in the summary index (index=summary)

You can then run the original search (specifying index=summary) in the future.

If my comment helps, please give it a thumbs up!
0 Karma

cheriemilk
Path Finder

@nickhills 

I don't quite understand for 2 questions.

1. in my dashboard, there're 6 panels added which means there're 6 queries will be run at the same time when the dashboard is opened , and the metrics for 6 queries are different, but each metric is  aggregated by stats command.  do you mean I should create 6 summary index for each stats query?

2. how the summary index is stored the data? when I use sistats to ingest the data to new index, how the new index and corresponding data is saved? as the command sistats is just one-time run.

Thanks,

Cherie

0 Karma