Splunk Search

How to create summary index?

Vani_26
Path Finder

I have a dashboard which contains 5 panels in table format.

Query for panel1:
index=xxxx sourcetype=xxxxx  stroage_name=CompleteTransactions 
|table Description application _time  count
streamstats current=f window=1 values( Description) as desp   values(application) as app values(_time) as totaltime  values (count) as totalcount
|eval siml=if(application == app AND Description == desp, count - totalcount,0)
|where siml > 0
|stats sum(siml) as totalrequest by application

output:

Description application _time count
ampt.gc.com ampt-portal 2023-01-16 14:00:56.456 100
ampt.gc.com ampt-login 2023-01-16 12:00:56.400 20
ampt.gc.com ampt-clientid 2023-01-16 11:00:36.406 50


Similar to panel 1 query  we have other 4 panels  with different field names. 

The task is i need to get the output of 5 panels into a summary index.
Retention period  to 60 days
query need to run for every 24 hours

So need to create a report for everyday for last 24 hours and need to create report to collect everydata into summary index.
so that if they search for last 60 days data should display.

how can i do this

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

In the report, you have an option to edit summary indexing

bowesmana_0-1678144316135.png

You can do it this way, which is the simplest, or you can look at the collect command and do it yourself.

So, your report should produce all the data you want to store. 

What is the purpose of the summary index? Is it so that the dashboard can search that summary index instead of the raw data?

If so, you can make a single search that reports on all the data you want to record and then in your dashboard you can just pick the piece of data you need for each panel.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Create your individual searches, or of you can create a single search that will generate all parts of the data and then save it as a report and then schedule it to run daily for 'yesterday'. The enable summary indexing.

Alternatively you can use the collect statement directly in your search.

In your dashboard, you can either use loadjob or savedsearch command to load the most recent saved search report to diplay or you can make searches from the summary index.

 

0 Karma

Vani_26
Path Finder

Hi @bowesmana, i have created the query, and i have created a new summary index in indexs.conf

Now what i should create a report and now how i can send the send data to summary index,
Do i need to add like collect at the end of my query??
Do i need to create a 2 reports one for daily and that daily data need to be added in summary index??

I am completely new to this part, not sure how to make the connection between my query and summaryindex.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

In the report, you have an option to edit summary indexing

bowesmana_0-1678144316135.png

You can do it this way, which is the simplest, or you can look at the collect command and do it yourself.

So, your report should produce all the data you want to store. 

What is the purpose of the summary index? Is it so that the dashboard can search that summary index instead of the raw data?

If so, you can make a single search that reports on all the data you want to record and then in your dashboard you can just pick the piece of data you need for each panel.

 

gerrysr6
Explorer

more screen shot sure would help - where is that? I can see stuff like Edit Description/Permissions/etc. but not Edit Summary Indexing

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Maybe you don't have permission to do summary indexing, but that option is in the searches, reports and alerts

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...