Write realtime search results to summary index

manjosk8 · ‎08-24-2012

Hi,

I am trying to figure out how to write real time search results to summary index.
Since I cannot create real time search that populates summary index from Manager->Searches and reports view because Splunk hides me an summary index option if I enter value rt for Start time and End time fields, I tried different approach using collect method.

On end of my initial search string I added following statements:

| addinfo | collect run_in_preview=false index=summary_index addtime=t marker="report=\"test\""

and Splunk writes only results to summary index when I finalize real time search, which does not help.

I also tried to run a search using collect run_in_preview=true parameter, but then Splunk writes same events multiple times to summary index, I guess on each real time search refresh.

If you have any suggestions or ideas please help.

Thanks in advance!

dolivasoh · ‎12-29-2014

Try setting it up as an alert to run real-time over 1 minute and send results to the summary index. If that option isn't available to you, you'll need to check your permissions.

cpetterborg · ‎11-13-2014

Why would you want to write real-time results to a summary index? Doesn't that defeat the purpose of a summary index? What are you trying to accomplish with the summary index data? Perhaps that would help formulate a solution to your problem.

Write realtime search results to summary index

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!