Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can we get Indexed Fields on Summary Index which generated from Schedule Search?

manikanthkoti
Explorer
‎09-02-2020 11:58 AM

Hi Everyone,

 

We have one Schedule which is running on the Index(mulesoft_index ).In this Index all the Fields are act as Indexed Fields .

We are Storing Schedule  Search Results into one Summary Index (summaryindex_mt_stats) by enabling Summary Indexing option from that Schedule Search.But the Fields are not acting as Indexed-Fields in the Summary Index.

So How can we create Indexed Fields in Summary Index while indexing from a schedule search ?

 

We are using data models on the Summary Index.But tstats command is not working on the Data Model because tsidx files does not contain the indexed fields, As summary index does not have the indexed fields.

Can any one please help on this?

Thanks&Regards,

Manikanth

 

 

 

 

Labels (4)
Tags (1)
0 Karma
Reply

manikanthkoti
Explorer
‎09-02-2020 11:10 PM

Hi @gjanders @Nisha18789  Thanks for your Response.

@gjanders Like you said Indexed Fields wont create by default while Summary Indexing.

If we can create with the help of props.conf via the source::<report name> Please help us this setting to link with the Summary Indexing.

We are forward to your response.

Thanks & Regards,

Manikanth

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-02-2020 09:22 PM

You might be able to apply props.conf rules via the source::<report name> in props.conf if that helps...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

Nisha18789
Builder
‎09-02-2020 03:19 PM

Hi @manikanthkoti , ideally while writing to summary index whatever fileds appear in the results are the indexed fields. Does your search returns the fields in the result that you are interested to see in summary index?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-02-2020 09:18 PM

@Nisha18789that does not sound correct, summary indexing from what I understand does not create indexed fields by default...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

manikanthkoti
Explorer
‎09-02-2020 11:25 PM

Hi @gjanders @Nisha18789 Thanks for your Response.

 @gjanders Like you said Indexed Fields wont create by default while Summary Indexing.

If we can create with the help of props.conf via the source:: Please help us this setting to link with the Summary Indexing. We are forward to your response.

Thanks & Regards,

Manikanth

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-03-2020 01:57 PM

Perhaps the first question is why do you want the indexed fields?

You are going to need to write props/transforms entries to get the indexed fields into the summary index I believe...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top