Re: Write realtime search results to summary index

manjosk8 · ‎08-24-2012

Hi,

I am trying to figure out how to write real time search results to summary index.
Since I cannot create real time search that populates summary index from Manager->Searches and reports view because Splunk hides me an summary index option if I enter value rt for Start time and End time fields, I tried different approach using collect method.

On end of my initial search string I added following statements:

| addinfo | collect run_in_preview=false index=summary_index addtime=t marker="report=\"test\""

and Splunk writes only results to summary index when I finalize real time search, which does not help.

I also tried to run a search using collect run_in_preview=true parameter, but then Splunk writes same events multiple times to summary index, I guess on each real time search refresh.

If you have any suggestions or ideas please help.

Thanks in advance!

dolivasoh · ‎12-29-2014

Try setting it up as an alert to run real-time over 1 minute and send results to the summary index. If that option isn't available to you, you'll need to check your permissions.

cpetterborg · ‎11-13-2014

Why would you want to write real-time results to a summary index? Doesn't that defeat the purpose of a summary index? What are you trying to accomplish with the summary index data? Perhaps that would help formulate a solution to your problem.

Write realtime search results to summary index

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!