Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to ensure data ingested into summary indexing through schedule reports is stored with the timestamp of the date the report is run?

uhkc777
Explorer
‎02-02-2017 07:20 AM

Hi,

I have a scheduled report which runs every midnight over last 30 days data and indexing into summary index.
But, in summary indexing that result from schedule report is storing with timestamp of 30 days back.
Eg: if i run the schedule report on 02/01 over last 30 days data,the result of this storing in summary index with 01/01 timestamp.

so while calling this summary indexing in my dashboards, i'm using: index=summary et=-30d@d

is there any way to store the summary indexing data with today time stamp?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2017 01:53 PM

If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.

index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2017 01:53 PM

If your summary index search result contains field _time, it'll use that as the _time for summary index data. If it doesn't contain _time, then the search's earliest timestamp (which you're using as -30d@d) as _time for summary index result. So if you want to keep the current day (day on which the summary search was run, create a field _time with current day. like this.

index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg | eval _time=relative_time(now(),"@d")
Reply
Solved! Jump to solution

rjthibod
Champion
‎02-02-2017 09:07 AM

Please share the savedsearch settings and the actual search that are populating your summary index.

0 Karma
Reply
Solved! Jump to solution

uhkc777
Explorer
‎02-02-2017 09:15 AM

where can i find the saved search settings?.

search query:
index=test earliest=-30d@d |table _time,x|timechart span=1d dc(x) as count|stats avg(count) as Avg
I'm saving it as report .
These are the steps i'm following for summary indexing.

settings-->searches,Reports-->open this report-->schedule this report everyday midnight--->enable summary indexing-->select summary index

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-02-2017 09:11 AM

Also, we need to see the search that you are using to report out from your summary index.

0 Karma
Reply
Solved! Jump to solution

uhkc777
Explorer
‎02-02-2017 09:23 AM

index=test|eval date=strftime(_time,"%Y-%m-%d")|table Date,x|chart dc(x) by Date|appendcols[|search index=summary earliest=-30d@d|head 1|table Avg]|filldown Avg

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...