I am able to generate events using summary indexing. In the search app I type in index=_internal search_name="index usage". The results displays the events, but actually the results that I have saved and scheduled search using summary index is in the form of a table report. Why isn't the table report getting generated? The event logs get displayed but i need the original saved report displayed.
Assume you created the summary index with the a saved search named "index usage" that looks like this:
yoursearchhere | sistats count by fx fy fz
You should not be saving your search results in the _internal
index!! They should be saved in a summary index; there is a default summary index, named summary
. A Splunk admin can create other summary indexes, but I will use summary
for this example.
Then you retrieve the results with this search:
index=summary search_name="index usage" | stats count by fx fy fz
Note that this search ends with the same command as the first search, but substituting the stats command for the sistats.