Splunk Search

How can we get Indexed Fields on Summary Index which generated from Schedule Search?

manikanthkoti
Loves-to-Learn Everything

Hi Everyone,

 

We have one Schedule which is running on the Index(mulesoft_index ).In this Index all the Fields are act as Indexed Fields .

We are Storing Schedule  Search Results into one Summary Index (summaryindex_mt_stats) by enabling Summary Indexing option from that Schedule Search.But the Fields are not acting as Indexed-Fields in the Summary Index.

So How can we create Indexed Fields in Summary Index while indexing from a schedule search ?

 

We are using data models on the Summary Index.But tstats command is not working on the Data Model because tsidx files does not contain the indexed fields, As summary index does not have the indexed fields.

Can any one please help on this?

Thanks&Regards,

Manikanth

 

 

 

 

Labels (4)
Tags (1)
0 Karma

manikanthkoti
Loves-to-Learn Everything

Hi @gjanders @Nisha18789  Thanks for your Response.

@gjanders Like you said Indexed Fields wont create by default while Summary Indexing.

If we can create with the help of props.conf via the source::<report name> Please help us this setting to link with the Summary Indexing.

We are forward to your response.

Thanks & Regards,

Manikanth

0 Karma

gjanders
SplunkTrust
SplunkTrust

You might be able to apply props.conf rules via the source::<report name> in props.conf if that helps...

0 Karma

Nisha18789
Builder

Hi @manikanthkoti , ideally while writing to summary index whatever fileds appear in the results are the indexed fields. Does your search returns the fields in the result that you are interested to see in summary index?

0 Karma

gjanders
SplunkTrust
SplunkTrust

@Nisha18789that does not sound correct, summary indexing from what I understand does not create indexed fields by default...

0 Karma

manikanthkoti
Loves-to-Learn Everything

Hi @gjanders @Nisha18789 Thanks for your Response.

 @gjanders Like you said Indexed Fields wont create by default while Summary Indexing.

If we can create with the help of props.conf via the source:: Please help us this setting to link with the Summary Indexing. We are forward to your response.

Thanks & Regards,

Manikanth

0 Karma

gjanders
SplunkTrust
SplunkTrust

Perhaps the first question is why do you want the indexed fields?

You are going to need to write props/transforms entries to get the indexed fields into the summary index I believe...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...