I have a job set up to create a summary index off the license data for longer term storage. The job ran, but my summary index is empty. Not sure why... here's my saved search:
[Hourly_License_byHost_Summary_Index] action.email = 1 action.email.to = email@example.com action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index._name = test alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize = 1 auto_summarize.dispatch.earliest_time = -1y@d cron_schedule = 0 0 * * * description = Create hourly summary index for license info dispatch.earliest_time = -1d@d dispatch.latest_time = @d display.general.timeRangePicker.show = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.patterns.sensitivity = 0.7 display.page.search.tab = statistics display.visualizations.custom.donut.donut.drilldown = 1 display.visualizations.custom.donut.donut.log = 1 display.visualizations.custom.donut.donut.show_legend = 1 display.visualizations.custom.markdown.markdown.log = 0 display.visualizations.custom.scatterplot_matrix.scatterplot_matrix.log = 0 display.visualizations.custom.scatterplot_matrix.scatterplot_matrix.show_legend = 1 display.visualizations.custom.scatterplot_matrix.scatterplot_matrix.show_trend = 1 display.visualizations.custom.type = aplura_viz_donut.donut display.visualizations.show = 0 display.visualizations.type = custom enableSched = 1 realtime_schedule = 0 request.ui_dispatch_app = search request.ui_dispatch_view = search schedule_window = 300 search = index=_internal source=*license_usage.log type="Usage" | eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)", idx) | eval sourcetypename = st | bin _time span=1h | stats sum(b) as b by _time, pool, indexname, sourcetypename, h | eval GB=round(b/1024/1024/1024, 3) | fields _time, pool, indexname, sourcetypename, h, GB
OK. Figured it out. Index didn't exist. Not sure why it didn't generate any messages for the search though... that's a bit strange.
That said, it's putting the entire event in the summary index. I just want certain fields - _time, pool, indexname, sourcetypename, h, GB - how would I do that?
"it's putting the entire event in the summary index." Could you post the event that you get in your summary index? Even if you see the data in tabular form from your search, it will be stored as raw events (with fields appearing as key value pair with some additional info) in summary index.
Thanks. Not sure if this is normal... I get the following, which has the fields but also a bunch of other stuff. I was expecting just the fields that I stated:
06/16/2016 23:00:00 -0400, search_name=Hourly_License_byHost_Summary_Index, search_now=1466172480.000, info_min_time=1466049600.000, info_max_time=1466136000.000, info_search_time=1466172481.206, GB="0.000", h="abcdef0806n.fmr.com", indexname=summary, pool=auto_generated_pool_enterprise, sourcetypename=meta_woot