Knowledge Management

Summary index search not working

mfrost8
Builder

So after having used Splunk for over a year now, I'm finally getting around to doing my first summary index-based search and it's not working. Clearly I'm missing something that's probably obvious, but I can't figure out what it is.

I had started with the following search

tag=p*aps* source=*/access.log | stats count AS HTTP_Operations sum(bytes_received) AS bytes_received_total sum(bytes_sent) AS bytes_sent_total BY host| eval MBytes_Total = round((( bytes_sent_total + bytes_received_total ) / 1048576), 2) | eval MBytes_Sent = round((bytes_sent_total / 1048576),2) | eval MBytes_Received = round((bytes_received_total / 1048576),2) | fields host, HTTP_Operations, MBytes_Sent, MBytes_Received, MBytes_Total

which works great run by itself. I read the docs and understand that I have to drop the eval's. So I whittled this down to

tag=p*aps* source=*/access.log | sistats count AS HTTP_Operations sum(bytes_received) AS bytes_received_total sum(bytes_sent) AS bytes_sent_total BY host

I made this a scheduled search to collect this information for yesterday (start -1d@d, end @d) and scheduled to run every day at 10 minutes after midnight. I do not have the enable summary indexing box checked in the scheduled search because I thought I'd understood that the "sistats" command itself would generate the summary data.

So this search runs according to job monitor, but nothing ever shows up in the summary index. In fact, according to the index page under Manager, my summary index hasn't had a new event added in 6 days.

What am I doing wrong?

Thanks

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Simply, you need to check the "enable summary indexing" checkbox. sistats will generate the data, but will not write it to the summary index.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Simply, you need to check the "enable summary indexing" checkbox. sistats will generate the data, but will not write it to the summary index.

mfrost8
Builder

That was it. What I'd understood from the docs was that using "sistats" alone was signalling Splunk that this was a summary index related search. I thought that ticking the enable summary indexing checkbox would handle the details if say you used "stats" instead of "sistats".

Thanks very much, Gerald.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...