Splunk Search

Running a scheduled search and saving the results to a summary index, how do I view the results as a table?

monteirolopes
Communicator

Hi,

I created a search that returns me a table with some values, follows:

... | table name, id, date

I scheduled my search to run every day at midnight and the results are saved in the summary index.
In my summary index, I see each table row as an event. Is this correct? How can I see the results like a table on the summary index?

Best regards,
Lopes.

0 Karma
1 Solution

somesoni2
Revered Legend

You should be able to see data from your summary index using following query

index=yoursummaryindexname source=NameOfYOurSummaryIndexSearch | table name id date

View solution in original post

somesoni2
Revered Legend

You should be able to see data from your summary index using following query

index=yoursummaryindexname source=NameOfYOurSummaryIndexSearch | table name id date

monteirolopes
Communicator

I was not sure if I could use the normal commands, but I saw a note on the documentation talking about it.
"Note: You do not have to use the si- summary index search commands if you are proficient with the "old-school" way of creating summary-index-populating searches."

Thank you!

0 Karma

woodcock
Esteemed Legend

It depends on which command you used to put it into the SI. It is all described here:

http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Usesummaryindexing

0 Karma
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...