Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Write realtime search results to summary index

manjosk8
Engager
‎08-24-2012 06:37 AM

Hi,

I am trying to figure out how to write real time search results to summary index.
Since I cannot create real time search that populates summary index from Manager->Searches and reports view because Splunk hides me an summary index option if I enter value rt for Start time and End time fields, I tried different approach using collect method.

On end of my initial search string I added following statements:

| addinfo | collect run_in_preview=false index=summary_index addtime=t marker="report=\"test\""

and Splunk writes only results to summary index when I finalize real time search, which does not help.

I also tried to run a search using collect run_in_preview=true parameter, but then Splunk writes same events multiple times to summary index, I guess on each real time search refresh.

If you have any suggestions or ideas please help.

Thanks in advance!

Tags (1)
Reply

dolivasoh
Contributor
‎12-29-2014 11:44 AM

Try setting it up as an alert to run real-time over 1 minute and send results to the summary index. If that option isn't available to you, you'll need to check your permissions.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎11-13-2014 11:48 AM

Why would you want to write real-time results to a summary index? Doesn't that defeat the purpose of a summary index? What are you trying to accomplish with the summary index data? Perhaps that would help formulate a solution to your problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...