Store daily report into summary index

deepak02 · ‎07-07-2017

Hi,

I have a report that runs at 10:00 am everyday and uses time interval:today. This report is mailed out to a couple of people daily.

I have a dashboard which displays stats about data from the report for the last 7 days. This dashboard is very slow due to huge amount of data being read each time.

I would like to store the daily report into a summary index and use data from this summary index for my dashboard.

How do I store the report into a summary index so that the daily mail action is not affected?

Thanks,
Deepak

woodcock · ‎07-08-2017

You don't need necessarily need a Summary Index if it is a static report with once-daily runs. As @cusello said, schedule it to run in the middle of the night and email people links to it. Or instead of emailing links, put it in a dashboard but use loadjob to pull in the results of the most-recent run (instead of running the SPL every time that the dashboard is loaded). Besides, Summary Index is not so much something that you do to your report as much as something that you do to your data and then you convert your report to use the summarized data. I am not saying that it is not something that you should look at but rather that it is not something trivial that you can knock out in a few minutes like the other answer that we gave.

deepak02 · ‎07-08-2017

Thankyou woodcock.

As stated above, I want the daily report to still be sent using time interval=today. If I schedule the report to run every night with time interval=last 7 days, it will have data for the last 7 days, not 'today'.

The situation is this:

daily report: sent at 10.00 am everyday, time interval=today
dashboard: time interval=last 7 days, search runs everytime dashboard is viewed.

Both the above items use the same base data/log files. Only the time intervals vary.

I do not want to schedule a report for one, and a separate summary index for another. Can I use a common summary index (or any other option in Splunk) so that the report/dashboard are faster?

gcusello · ‎07-07-2017

Hi deepak02,
you could schedule your report every night with tipme period last 7 days and show it in a dashboard.
To do this you have to schedule your report e.g. at 1.00 and then save it as Dashboard Panel, put attention that in the option "Panel based on" you have to insert Report (not On Line Search).
Bye.
Giuseppe

deepak02 · ‎07-08-2017

Thankyou Giuseppe.

Won't this method affect the time interval of daily report sent?

I want the daily report to still be sent using time interval=today. If I schedule the report to run every night with time interval=last 7 days, it will have data for the last 7 days, not 'today'.

The situation is this:

daily report: sent at 10.00 am everyday, time interval=today
dashboard: time interval=last 7 days, search runs everytime dashboard is viewed.

Both the above items use the same base data/log files. Only the time intervals vary.

I do not want to schedule a report for one, and a separate summary index for another. Can I use a common summary index (or any other option in Splunk) so that the report/dashboard are faster?

gcusello · ‎07-09-2017

Hi deepak02,
let me better understand: do you want to show in a dashboard events from 00.00 to 10.00 of every day of the last seven days?
if this is your need you could schedule your report's search using as time period last seven days and putting as additional filter date_hour<11.

Bye.
Giuseppe

Store daily report into summary index

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life