Splunk Search

How to create summary index?

Vani_26
Path Finder

I have a dashboard which contains 5 panels in table format.

Query for panel1:
index=xxxx sourcetype=xxxxx  stroage_name=CompleteTransactions 
|table Description application _time  count
streamstats current=f window=1 values( Description) as desp   values(application) as app values(_time) as totaltime  values (count) as totalcount
|eval siml=if(application == app AND Description == desp, count - totalcount,0)
|where siml > 0
|stats sum(siml) as totalrequest by application

output:

Description application _time count
ampt.gc.com ampt-portal 2023-01-16 14:00:56.456 100
ampt.gc.com ampt-login 2023-01-16 12:00:56.400 20
ampt.gc.com ampt-clientid 2023-01-16 11:00:36.406 50


Similar to panel 1 query  we have other 4 panels  with different field names. 

The task is i need to get the output of 5 panels into a summary index.
Retention period  to 60 days
query need to run for every 24 hours

So need to create a report for everyday for last 24 hours and need to create report to collect everydata into summary index.
so that if they search for last 60 days data should display.

how can i do this

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

In the report, you have an option to edit summary indexing

bowesmana_0-1678144316135.png

You can do it this way, which is the simplest, or you can look at the collect command and do it yourself.

So, your report should produce all the data you want to store. 

What is the purpose of the summary index? Is it so that the dashboard can search that summary index instead of the raw data?

If so, you can make a single search that reports on all the data you want to record and then in your dashboard you can just pick the piece of data you need for each panel.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Create your individual searches, or of you can create a single search that will generate all parts of the data and then save it as a report and then schedule it to run daily for 'yesterday'. The enable summary indexing.

Alternatively you can use the collect statement directly in your search.

In your dashboard, you can either use loadjob or savedsearch command to load the most recent saved search report to diplay or you can make searches from the summary index.

 

0 Karma

Vani_26
Path Finder

Hi @bowesmana, i have created the query, and i have created a new summary index in indexs.conf

Now what i should create a report and now how i can send the send data to summary index,
Do i need to add like collect at the end of my query??
Do i need to create a 2 reports one for daily and that daily data need to be added in summary index??

I am completely new to this part, not sure how to make the connection between my query and summaryindex.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

In the report, you have an option to edit summary indexing

bowesmana_0-1678144316135.png

You can do it this way, which is the simplest, or you can look at the collect command and do it yourself.

So, your report should produce all the data you want to store. 

What is the purpose of the summary index? Is it so that the dashboard can search that summary index instead of the raw data?

If so, you can make a single search that reports on all the data you want to record and then in your dashboard you can just pick the piece of data you need for each panel.

 

gerrysr6
Explorer

more screen shot sure would help - where is that? I can see stuff like Edit Description/Permissions/etc. but not Edit Summary Indexing

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Maybe you don't have permission to do summary indexing, but that option is in the searches, reports and alerts

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...