Splunk Search

Summary indexing searches

mansel_scheffel
Explorer

Hi,

This is a carry-on question from a previous post. https://answers.splunk.com/answers/439628/scheduling-multiple-searches.html

I have a few more searches that need to be embedded in other SI's. These searches are:
Top 20 sourcetypes
| tstats count where index=test* groupby sourcetype, _time | sitimechart sum(count) as count by sourcetype

Count of sourcetypes
| tstats dc(sourcetype) as sourcetypes WHERE index=test* earliest=-15m@m latest=-5m@m by _time span=10m

Count of hosts
| tstats dc(host) as Hosts WHERE index=test* earliest=-15m@m latest=-5m@m by _time span=10m

License usage
index=_internal source=license_usage.log type=Usage pool= idx=test* earliest=-15m@m latest=-5m@m | sitimechart span=10m sum(b) as Bytes

All of these searches need to be able to fill a SI, which then populates a further 3 SI's..(reading the link will clarify what I need to do) Any help would be appreciated!!

Thanks !

0 Karma

mansel_scheffel
Explorer

Solved this by renaming my fields - IE not using count, also not using si.

0 Karma

somesoni2
Revered Legend

You can actually setup the same way as suggested in the previous post. (Setup your first SI with your current search. Your subsequent search should use the results from the SI previous SI)

0 Karma

mansel_scheffel
Explorer

Still no joy with this :

-Data gets to the first SI fine - and I can report on it

-Trying to populate the second SI from the 1st one returns no useable data in the 2nd. Using any of the searches above.
-My thoughts are that it has something to do with _raw changing once in the first SI, which then stops the normal searches from populating the 2nd si and so on.

0 Karma

mansel_scheffel
Explorer

I tried that, I can get it to work for everything that isnt using a timechart count after the initial si command.. It doesnt count the count after the 1st summary index.. Everything using sitimechart first, then timechart..

0 Karma

somesoni2
Revered Legend

Since the timechart changes the column names with actual values, I would not use the timechart on the SI searches (for searches where column names can vary). I would probably just keep it with stats command in all SI and will use timechart in actual dashboard/reports using the data. Could you provide an example of SI search which is not working (and how it's not working)?

0 Karma

mansel_scheffel
Explorer

Thanks - yeah thats exactly whats causing the problem(column names) - ill create the other SI's with stats and then just use timechart in my dashboard. This is one of the searches not working:

| tstats count where index=test* groupby sourcetype, _time | sitimechart sum(count) as count by sourcetype

And it looks like its not including the count because the columns are changing..Ill try it with stats and get back to you! Thanks for the help..

0 Karma

mansel_scheffel
Explorer

No joy.. Still getting the same issue with the above search.. It just doesnt count, perhaps ill use a different search to populate the first SI.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You could set up a scheduled search for every 3 seconds to populate your second SI but you will have some latency issues. I'd also recommend using the dedup argument because you will defiantly have some overlap

Out of curiosity, why are you summarizing the data in a secondary summary index?

0 Karma

mansel_scheffel
Explorer

Thanks for the reply.. Its not the scheduling im having issues with, its the initial searches, they arent populating the 2nd, 3rd, 4th SI's correctly.. I suspect the syntax for the initial populating search is incorrect. Could you advise on any different syntax?

I have no idea why summarizing in 4 Si's, I suspect its to test their environment(client requirement, not personal choice)

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...