I am running a script that, simply put, inserts a record into Splunk for each person that is using space on our storage system. It also includes each user's department. I would like to use summary indexing on this data so that I can track (long-term) each department's usage. The problem? We have over 100 departments. Until now, I have been creating summary-indexed fields by hand. Applying that approach to this problem would yield something like:
storagevol1_department1_numrecords, storagevol1_department1_mbused, storagevol_department2_numrecords . . .
in the field list of the saved search that would be sent to the summary index. Volumes * departments * 2 fields is a lot of typing, and one ugly saved Splunk search.
What I'd like to do is automatically have every combination of volume, qtree, department and numrecords|mbused that shows up in:
| stats count(_time) as "numrecords", sum(used_mb) as "mbused" by volume,qtree,department
go into the summary index in such a way that I could use each of those combinations in a timechart in the future. Essentially, I want to use a combination of field values and field names to create new field names.
Am I missing something? Should I be using sistats and focus on separating the combinations of and in the report that pulls from the summary indexed data?
... View more