Hi @Gupta,

First I have saved my search query as Report. After saving, it asked me "do you want to schedule the report" and I gave the option yes. Then it redirects me to the page where the report schedule with timing options are available. So I scheduled the report to run for everyday at 10:00 AM.

Now my requirement is whenever, the report runs at the scheduled time, I want to log those as events. In the current version of Splunk 7.0.0, I could see the options as Log Events, Run a Script, send email, etc.,
But in the 6.4.1 version, I could see only the Send Email and Run a script options.

So whenever my schedule report runs, I could either do Send Email or Run a script. But I need those also should be logged as events in the summary index. So please help me to achieve this.

If required, I can provide the screenshots also.

In versions of Splunk lower than 7.0 the same function can be achieved with the summary indexing option (located towards the bottom of the page, below Alert actions) this will send the events from your search into a new summary index.
Optionally you could also you the | collect command and achieve the same result. Just be sure when you are storing data into a summary index it matches the format that you expect 🙂

Yeah I have that option under Alert actions. I have selected the summary index also, but when it creates the new events in the summary index, what are the host, source and sourcetype details it uses for the new events. If at all I need to modify the source and sourcetype details how can I achieve it according to my project requirements.

So yes summary indexing will create a new host, source and sourcetype field for that data that has essentially been newly indexed into the summary index you just created.
You can either just use different field names for the host, source and sourcetype fields (i.e. orig_) or remap them using the option under the Summary Indexing in the UI.

I've always found the best way to validate and test a new index is to use the | collect command to ensure everything looks OK before setting up the job. The Summary Indexing option in the UI really just uses that | collect command anyway.

Check out the docs for more info:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Usesummaryindexing

Hi Gupta,

Thanks for the information. When I am scheduling my report, I need the alert actions to be carried out as logging events. So as per your suggestion I have enabled the Summary index option.

So the Summary index is logging those events in it with the default source and sourcetype. In my case, by default I am getting the sourcetype as "stash". I have tried to edit the sourcetype through the "Searches, reports, and alerts ->MyReport->Advanced Edit" option. The change does not work in the Splunk version 6.4.1 but it is working in the current version 7.0.0

So how can I change it in my Splunk 6.4.1

Well like a said before when you summary index data it is new data that has been indexed so it will have a new host, source & sourcetype assigned automatically.

You can either just use a different field instead of sourcetype from your events, or put a new value into the existing sourcetype field using an | eval statement assignment.