All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New to Summary Indexing

rmorlen
Splunk Employee
Splunk Employee
‎07-30-2012 06:32 AM

I have a search:

index=_internal host=licenseManager type=Usage earliest=-5d st!=splunk_metrics | rename st AS sourcetype | timechart span=1d sum(eval(b/1024/1024/1024)) AS GB by sourcetype | addtotals

This gives me a nice table over the past 5 days on license usage per sourcetype. I also get the total usage so I have some idea on our total license usage.

This search takes a while to run. I would like to have a summary index that runs once a day so that I can generate a report once a day that looks back lets say the past 30 days.

For the scheduled search I have:

index=_internal host=licenseManager type=Usage earliest=-2d@d latest=-1d@d st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB

Scheduled to run at 1am.

alert condition = always

add fields:

index = summary

report = License_Usage_Report

  1. Is this the correct way to set it up?
  2. How do I generate the report using the summary index?

(we are running Splunk 4.2.5 in case this matters)

Thanks for any help.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎08-02-2012 01:20 PM

I did figure out my summary indexing for the license info.

Scheduled search which runs at 1am and puts the data in a summary index named summary_admin:

index=_internal host=licenseManagerHostName earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype

The query I use to display the information:

index=summary_admin earliest=-30d | timechart useother="f" span=1d max(GB) by orig_sourcetype | addtotals

Since I specify earliest and latest in the scheduled search backfilling didn't quite work like I would have liked so I manually ran the searches using the command:

index=_internal host=licenseManagerHostName earliest=-1d@d latest=@d type=Usage st!=splunk_metrics | rename st AS sourcetype | stats sum(eval(b/1024/1024/1024)) AS GB by sourcetype | collect index=summary_admin

I changed earliest and latest to go back as far as I wanted so:

earliest=-2d@d latest=-1d@d

earliest=-3d@d latest=-2d@d

and so forth...

Hope it helps someone.

0 Karma
Reply

josh_1
New Member
‎07-30-2012 06:56 AM

Hello, I would suggest contacting Splunk support to answer this question. They would be able to answer it far better than I could.

~josh

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...