Knowledge Management

Summary Index Reports

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I've put together the search below to create a Summary Index

tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  | eval shortForm='detail.formId'."  " | eval shortForm =  substr(shortForm, 1, 6) | sort 0  detail.messageId  | dedup detail.messageId  | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

The problem I now have is trying to retrieve the results I know that I need to use "index=summary source="SA Tester" at the beginning of the query but despite several combinations I can't retrieve the results.

I've managed a very simple example of this, but this is more complicated than the tutorials I've been using.

I just wondered whether someone may be able to look at this and let me know where I'm going wrong.

Many thanks and kind regards

Chris

Tags (1)
0 Karma
1 Solution

IRHM73
Motivator

Hi, for those who may be intereseted, I've now got this to work.

This is the query I use in the scheduled report:

index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  
| eval shortForm='detail.formId'."  " 
| eval shortForm =  substr(shortForm, 1, 6) 
| sort 0  detail.messageId  
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" 
| sichart count by shortForm

And the following is how I retrieve the figures:

index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

I hope this helps.

Many thanks and kind regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

Hi, for those who may be intereseted, I've now got this to work.

This is the query I use in the scheduled report:

index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  
| eval shortForm='detail.formId'."  " 
| eval shortForm =  substr(shortForm, 1, 6) 
| sort 0  detail.messageId  
| stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" 
| sichart count by shortForm

And the following is how I retrieve the figures:

index=summary source="SA Letters Suppressed Summary Index Test" | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

I hope this helps.

Many thanks and kind regards

Chris

0 Karma

woodcock
Esteemed Legend

Is your populating search really named EXACTLY Index Report Name?
Is your populating search enabled?
Did you click Enable under Summary Indexing?
What index did you put in the Select the Summary Index field (is it really summary)?
Are you using that same index in your search?
Are you running your search on the same Search Head that is running the populating search (maybe behind a VIP to more than 1 Search Head)?

0 Karma

IRHM73
Motivator

Hi @woodcock, thank you for taking the time to come back to me with this.

In answer to your questions:

  • Original post edited to reflect true name of report.
  • Yes the populating search is enabled.
  • Yes, when I set up the scheduled search I enabled 'Summary Indexing'
  • Yes the index is called "summary"
  • I can confirm that I'm able to see the events so I think but it's just putting this into the chart which appears to be the problem.

  • I must admit I'm not soo sure what the answer is here. All I can say is that using a simple query I've been able to retrieve the 'Summary Index' results, and I've followed the same method.

I hope this helps.

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...