I am currently using these 2 REST searches to populate a a dashboard.
| REST /services/data/indexes | search title=test* | stats sum(currentDBSizeMB) as currentSize | eval currentSize=currentSize/1024
| rest /services/deployment/server/clients splunk_server=SGB*APSDS1001 | where (now()-lastPhoneHomeTime)<(24*60*60) | stats count
I would like to use a summary index for this. Could anyone advise on how to change my searches to use summary indexing and get the same results?
Read the below URL's to understand the Summary index and configuring Summary index,
1. Create an new index to hold your summary values. 2. Create an scheduled saved search and enable the summary indexing & select newly created index. 3. use the new index to query your results.
hope this will helps you..
Thanks for the reply.. Its not the summary indexing I am unsure about, more the searches.. I suspect using the rest command will create invalid results if it is populating a summary index every 10m, and then I report on that with a stats sum or count..it will just add.
Basically what im trying to achieve is the results I get from the above REST searches to be displayed in the dashboard exactly the same way, however, they must be stored in a summary index for access control. The above searches display index size and number of agents deployed.