- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: How to know that summary index is implemented
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to know that , how my summary index is implemented?. I know that only uses for implementing scheduled searches and reports . May I know it's correct . Otherwise can please you please provide me some solution . How to find out that our summary index is implemented
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For subsearch, there is default limit of 10000 results so it looks like in your environment you already bumped that value to 2000000 which is quite higher. Instead of increasing subsearch limit, I'll suggest you to optimize your splunk query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And also I want to solve subsearch error.
I will arrange in neat query
(host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id
[search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1]
| eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't get you.
If you want to check summary index configuration then look at scheduled search configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So can I use summary index to get correct count? For this issue or?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I am facing this issue sir,
I would like to ask a question about changing settings of Splunk.
We have been using Splunk for few years for now. currently we are facing issues that Splunk can not dsplay results correctly.
■Background History
We observe users churn rate through Splunk by using query.
■Phenomenon we are facing
The report count looks incorrect and we could see this error as below.
---
[subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000.
---
■Question
As we investigated through some docs, I guess we have a option to change the upper limits by changing "limits.conf".
Would it be possible to change limits from current 2,000,000 to 3,000,000 or 3,500,000 ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For subsearch, there is default limit of 10000 results so it looks like in your environment you already bumped that value to 2000000 which is quite higher. Instead of increasing subsearch limit, I'll suggest you to optimize your splunk query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If we increase the subserach limit to
3000000 any issue / problem will occur ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll not recommend it, I'll recommend you to write better search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I can explain this background, we have been using Splunk to know business conditions but we faced the issue on the Splunk.
That issue is that when we tried to see User's 7day's churn rate, we were using that query on Splunk which I shared with you on previous e-mail.
However, from around Feburary, churn rate was suddenly sprung up on our demographic tools as I attached capture image (we connect with Splunk report with DOMO). And we found that this issue is caused by .limitconf settings.
This is the reason why I asked a question to change the settings.
I would like to provide you more infromation, but I could not do that due to not having more additional information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay let me see , if it works ,
But you suggest me that we should not change limits to limits =3000000010 right?
So if we do that any problem will occur?
So better we should reduce the query and run the search right
😊
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is. My query and I want to know my summary index
(host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay thanks for your answer
1)If user have separate index and if we can have any problem regarding sub search . can I troubleshoot from summary index?
To get the correct report count
Like mentioning summary index =index
And some query
To solve
Phenomenon we are facing
The report count looks incorrect and we could see this error as below.
---
[subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000.
For user if I run a query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a question please
summary index is like mixup up of all indexes? Like index 1 , index2 , index 3..... Combination of these three index data is stored in summary index ? . Or else one entire index is summary index? Please confirm me this plz
Thanks in advance for you support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any index can be summary index.
For example (below scenario are valid):
- Schedule_search1 is ingesting summary data in index1
- Schedule_search2 is ingesting summary data in index2
- Schedule_search3 is ingesting summary data in index3
OR
- Schedule_search1 is ingesting summary data in index1
- Schedule_search2 is ingesting summary data in index1
- Schedule_search3 is ingesting summary data in index1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In Splunk summary index is not any special index, you can summarize data in any index which exist in splunk.
To find out whether any schedule searches have summary alert action enabled then you can use below search on search head to find out those scheduled searches.
| rest /servicesNS/-/-/saved/searches splunk_server=local f="action.summary_index" f="action.summary_index._name" f=disabled f=title
| rename action.* as *
| where summary_index=1 AND disabled=0
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
