It's probably not best practice but, is there a way to have the summary index results clickable drilldown link to the raw events(by host for example)
I saw some examples here on answers using convertoIntentions XML or somesuch but the answers seemed bit old.
Any examples appreciated.
Yes, this can be done using advanced XML. There's an example in this post that worked great for me:
http://splunk-base.splunk.com/answers/63886/i-just-need-to-see-a-simple-example-of-using-clickvalue-...
Yes, this can be done using advanced XML. There's an example in this post that worked great for me:
http://splunk-base.splunk.com/answers/63886/i-just-need-to-see-a-simple-example-of-using-clickvalue-...
The answers using the convertToIntention XML are still valid, and still really the easiest way to do it in the Splunk UI, unless perhaps you choose to use SideView Utilities. Future functionality of Transparent Summarization should allow you to use summaries to display results without having to actually have separate indexes or events for them.