With search you're executing, _time value will get stored in the summary index
_time = time of events which will be the time -20 min from the time it is scheduled to run. all the evetns in summary index from one execution will have same _time value
So the things which are doable you asked
Yes, you will be able to sum the counts of the evets for each host/index/sourcetype over various span of time. Beware, the change in _time value so your time range should be appropriate.
Yes, your events in the summary index will be like any other indexed events, with _time value appearing at 15 min interval.
... View more