Solved: Running a scheduled search and saving the results ...

monteirolopes · ‎05-02-2016

Hi,

I created a search that returns me a table with some values, follows:

... | table name, id, date

I scheduled my search to run every day at midnight and the results are saved in the summary index.
In my summary index, I see each table row as an event. Is this correct? How can I see the results like a table on the summary index?

Best regards,
Lopes.

somesoni2 · ‎05-02-2016

You should be able to see data from your summary index using following query

index=yoursummaryindexname source=NameOfYOurSummaryIndexSearch | table name id date

View solution in original post

somesoni2 · ‎05-02-2016

You should be able to see data from your summary index using following query

index=yoursummaryindexname source=NameOfYOurSummaryIndexSearch | table name id date

monteirolopes · ‎05-02-2016

I was not sure if I could use the normal commands, but I saw a note on the documentation talking about it.
"Note: You do not have to use the si- summary index search commands if you are proficient with the "old-school" way of creating summary-index-populating searches."

Thank you!

woodcock · ‎05-02-2016

It depends on which command you used to put it into the SI. It is all described here:

http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Usesummaryindexing

Running a scheduled search and saving the results to a summary index, how do I view the results as a table?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms