I'm just starting to get into summary indexes and changing over some reports that were previously long-running to use a summary index to speed them up. I'm aware that I need to have two parts to producing and consuming the summary data:
A search that runs regularly on fixed intervals (in my case, a 24 hour period) that populates the summary index;
A search that runs as often as I want that consumes the produced summary data.
I have devised the search that I want to use to populate my summary index. I've tested this with the collect command to make sure the data comes in correctly, using different marker values for test data. Now I want to schedule this search to run every day, to populate data from the previous 24 hour day.
But the way Splunk Reports work, I can't seem to define the Report without executing the report - the Save button is not available until you've executed the search (or if you have an existing Report, it isn't available until you change the definition of the original report and then execute it). And from basic testing, it looks like the collect command will partially populate results even if you terminate the job half-way through.
So what is the way to solve this? Ideally, something like the Dashboard's source editor for Reports would be available, where I can alter the Report's commands without actually executing them.
For reference, my search command to populate the summary index looks something like this:
"prd-safe" env="prd-safe" dbCapable query eventtype="unicorn_jira"
| ... | stats latest(_time) AS _time, latest(mMode) AS mMode, count AS totalRequests, sum(totalSearches) AS totalSearches, sum(numCapable) AS totalCapable, sum(numEquivTrue) AS totalEquivTrue, median(totalDbDelta) AS p50Delta, perc99(totalDbDelta) AS p99Delta, max(totalDbDelta) AS p100Delta by hostname
| ... | collect index=summary_team marker="report=jvs_migration_daily"
And ideally the Report would be scheduled to run Daily at 10am, for the period of the previous day i.e. -1d@d to -0d@d
... View more