Re: REST summary index

mwdbhyat · ‎08-30-2016

Hi,

I am currently using these 2 REST searches to populate a a dashboard.

| REST /services/data/indexes | search title=test* | stats sum(currentDBSizeMB) as currentSize | eval currentSize=currentSize/1024

| rest /services/deployment/server/clients splunk_server=SGB*APSDS1001 | where (now()-lastPhoneHomeTime)<(24*60*60) | stats count

I would like to use a summary index for this. Could anyone advise on how to change my searches to use summary indexing and get the same results?

Thanks!

vasanthmss · ‎08-30-2016

Hi,

Read the below URL's to understand the Summary index and configuring Summary index,

http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Usesummaryindexing

Abstract steps,

 1. Create an new index to hold your summary values. 
 2. Create an scheduled saved search and enable the summary indexing & select newly created index.
 3. use the new index to query your results.

hope this will helps you..

V

mwdbhyat · ‎08-30-2016

Thanks for the reply.. Its not the summary indexing I am unsure about, more the searches.. I suspect using the rest command will create invalid results if it is populating a summary index every 10m, and then I report on that with a stats sum or count..it will just add.

Basically what im trying to achieve is the results I get from the above REST searches to be displayed in the dashboard exactly the same way, however, they must be stored in a summary index for access control. The above searches display index size and number of agents deployed.

REST summary index

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms