summary indexing data

splunkingsplunk · ‎10-12-2011

hi i am using the below query to summary index

index=level3 earliest=+285min latest=+300min | eval volumegb=volumebytes/(1024*1024*1024) | sitimechart sum(volumegb),distinct_count(ipaddr) span=1min

for every 15 mins, new log file will be added to level3 indexing and that file consists of data varying from next 50 mins to next 6 hrs.

so the above summary indexing dont work as new data will be added to level3 index for various time intervals. but the data is added to level3 index from a single file for every 15 mins

is there any way i can summary index new data from index level3

Thanks

yannK · ‎10-13-2011

First : you shouldn't summarize your data until all your events are indexed.

Or you want to consolidate your summaries, you will have to :

delete the existing stats for a given period and recreate them using a backfill. something like : index=summary search_name=mysummarysearch earliest=-xdays latest=-ydays | delete
then repopulate the summary search for the given period using the "backfill script" http://docs.splunk.com/Documentation/Splunk/4.2.3/Knowledge/Managesummaryindexgapsandoverlaps

splunkingsplunk · ‎10-14-2011

Thanks for the reply YannK. but depending on my summary index data. our developer is trying to show graph values like amount of gb served for past 2hrs, 24 hrs 7 days. so i f ihave to delete 7 hrs of data and sumamry index it again his graph will be missing data for that time. is there any way i can summary-index only new events indexed by level3(index) in particular time period(time period it indexed the data) not the event time period. sorry if it is a dumb question..

summary indexing data

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...