Splunk Enterprise

How to know that summary index is implemented

anil1432
Explorer

How to know that , how my summary index  is implemented?. I know that  only uses for implementing scheduled searches and reports  . May I know it's correct . Otherwise can please you please  provide me some solution . How to  find out that our summary index is implemented

 

Thanks in advance

Labels (2)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

For subsearch, there is default limit of 10000 results so it looks like in your environment you already bumped that value to 2000000 which is quite higher. Instead of increasing subsearch limit, I'll suggest you to optimize your splunk query.

View solution in original post

0 Karma

anil1432
Explorer

And also I want to solve subsearch error.

I will arrange in neat query

(host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id

[search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1]

| eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate. 

 

0 Karma

harsmarvania57
Ultra Champion

I didn't get you.

 

If you want to check summary index configuration then look at scheduled search configuration.

0 Karma

anil1432
Explorer

So can  I use summary index to get correct count? For this issue or? 

0 Karma

anil1432
Explorer

Actually I am facing this issue sir,

 

I would like to ask a question about changing settings of Splunk.

We have been using Splunk for few years for now. currently we are facing issues that Splunk can not dsplay results correctly.

■Background History
We observe users churn rate through Splunk by using query.


■Phenomenon we are facing
The report count looks incorrect and we could see this error as below.
---
[subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000.
---

■Question
As we investigated through some docs, I guess we have a option to change the upper limits by changing "limits.conf".
Would it be possible to change limits from current 2,000,000 to 3,000,000 or 3,500,000 ?

0 Karma

harsmarvania57
Ultra Champion

For subsearch, there is default limit of 10000 results so it looks like in your environment you already bumped that value to 2000000 which is quite higher. Instead of increasing subsearch limit, I'll suggest you to optimize your splunk query.

0 Karma

anil1432
Explorer

If we increase the subserach limit to 

3000000 any issue / problem will occur ?

 

0 Karma

harsmarvania57
Ultra Champion

I'll not recommend it, I'll recommend you to write better search.

0 Karma

anil1432
Explorer

As far as I can explain this background, we have been using Splunk to know business conditions but we faced the issue on the Splunk.

That issue is that when we tried to see User's 7day's churn rate, we were using that query on Splunk which I shared with you on previous e-mail.

However, from around Feburary, churn rate was suddenly sprung up on our demographic tools as I attached capture image (we connect with Splunk report with DOMO). And we found that this issue is caused by .limitconf settings.

This is the reason why I asked a question to change the settings.

I would like to provide you more infromation, but I could not do that due to not having more additional information.

0 Karma

anil1432
Explorer

Okay let me see , if it works , 

 

But you suggest me that we should not change limits  to  limits =3000000010  right?

So if we do that any problem will occur?

So better we should reduce the query and run the search right 

 

😊

 

 

 

 

0 Karma

anil1432
Explorer

This is. My query and I want to know my summary index

(host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate

0 Karma

anil1432
Explorer

Okay  thanks for your answer

 

1)If user have separate index and if we can have any problem regarding sub search . can I  troubleshoot from summary index?

To get the correct report count 

Like mentioning summary index =index 

And some query  

 

To solve 

 

Phenomenon we are facing

The report count looks incorrect and we could see this error as below.

---

[subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000.

For user if I run a query 

 

0 Karma

anil1432
Explorer

I have a question please

 summary index is like  mixup up of all indexes? Like index 1 , index2 , index 3..... Combination of  these three index data  is stored in  summary index ? . Or else  one entire  index   is summary index? Please confirm me this plz 

 

Thanks in advance for you support

 

 

0 Karma

harsmarvania57
Ultra Champion

Any index can be summary index.

For example (below scenario are valid):

  • Schedule_search1 is ingesting summary data in index1
  • Schedule_search2 is ingesting summary data in index2
  • Schedule_search3 is ingesting summary data in index3

OR

  • Schedule_search1 is ingesting summary data in index1
  • Schedule_search2 is ingesting summary data in index1
  • Schedule_search3 is ingesting summary data in index1
0 Karma

harsmarvania57
Ultra Champion

Hi,

In Splunk summary index is not any special index, you can summarize data in any index which exist in splunk.

To find out whether any schedule searches have summary alert action enabled then you can use below search on search head to find out those scheduled searches.

| rest /servicesNS/-/-/saved/searches splunk_server=local f="action.summary_index" f="action.summary_index._name" f=disabled f=title
| rename action.* as *
| where summary_index=1 AND disabled=0

 

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...