Configure summary indexing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure summary indexing
For a general overview of summary indexing and instructions for setting up summary indexing through Splunk Web, see the topic Increase reporting efficiency with summary indexing in the Users Manual.
You can't manually configure a summary index for a search in savedsearches.conf until the search:
- Is saved
- Is scheduled
- Has an alert configured for it
- Is enabled
Note: You must configure an alert for your saved search if you want to use it in conjunction with a summary index; if you do not the search will run but it won't populate the summary index.
When you perform these steps through Splunk Web, the system generates an index for you when you enable the summary index for the saved, scheduled, alarm-set search. The index will have the same name as the saved search. At this point you can manually configure summary indexing for the saved search.
For details about using Splunk Web to perform these actions for searches, see the Save, schedule, set alerts, and enable summary indexing topic in the User Manual.
Alternatively, you can use the addinfo and collect search commands to create a search that will be saved and scheduled, and which will populate a pre-created summary index. For more information about that method, see "Manually populate the summary index" in this topic.
Note: Indexing events in a summary index counts against your license volume. We recommend that you not index more events in your summary indexes than you really need. Consult Splunk support for specific information on license volume impact.
Customize summary indexing for a saved, scheduled, alert-configured search
When you use Splunk Web to enable summary indexing for a scheduled saved search, Splunk automatically generates a stanza in $SPLUNK_HOME/etc/system/local/savedsearches.conf. You can customize summary indexing for the saved search by editing this stanza.
[ < name > ] action.summary_index = < 1 | 0 > action.summary_index.name = <string> action.summary_index.<field> = <string>
-
[<name>]: Splunk names the stanza based on the name of the saved, scheduled, alert-configured search for which you enabled summary indexing. -
action.summary_index =: Set to 1 to enable summary indexing. Set to 0 to disable summary indexing. -
action.summary_index.<field> = <string>: Specify a field/string pair to add to every search result indexed in the summary index. - Note: This field/string pair acts as a "tag" of sorts that makes it easier for you to identify the events that go into the summary index when you are performing searches amongst the greater population of event data. This key is optional but we recommend that you never set up a summary index without at least one field/string pair.
Manually populate a manually created summary index
If you want to configure summary indexing without using the search options dialog in Splunk Web, you must first configure a summary index just like you would any other index via indexes.conf. For more information about manual index configuration, see, see the topic How indexing works in this manual.
Important: You must restart Splunk for changes in indexes.conf to take effect.
1. Run a search that you want to summarize results from in the Splunk Web search bar.
- Be sure to limit the time range of your search. The number of results that your search generates needs to fit within the maximum search result limits you have set for searching.
- Make sure to choose a time interval that works for your data, such as 10 minutes, 2 hours, or 1 day. (For more information about setting intervals through the search bar, see the Schedule a search subtopic in the User Manual.)
2. Use the addinfo search command. Append | addinfo to the end of your search.
- This command adds information about the search to events that the collect command requires in order to place them into a summary index.
- You can always add
| addinfoto any search to preview what the results of a search will look like in a summary index.
3. Add the collect search command. Append |collect index=<index_name> addtime marker="info_search_name=\"<summary_search_name>\"" to the end of the search.
- Replace
index_namewith the name of the summary index - Replace
summary_search_namewith a key to find the results of this search in the index. - A
summary_search_name*must* be set if you wish to use the overlap search command on the generated events.
Note: For the general case we recommend that you use the provided summary_index alert action. Configuring via addinfo and collect requires some redundant steps that are not needed when generating summary index events from scheduled searches. Manual configuration remains necessary when backfilling a summary index for timeranges which have already transpired.
Manually configure a search to populate a summary index
If you've used Splunk Web to save, schedule, and configure an alert for a search, but haven't used Splunk Web to enable the summary index for the search, you can easily enable summary indexing for the saved search through savedsearches.conf as long as you have a new index for it to populate. For more information about manual index configuration, see, see the topic How indexing works in this manual.
Add the following keys to $SPLUNK_HOME/etc/system/local/savedsearches.conf:
- action.summary_index = <1 | 0>: Set to 1 to enable summary indexing for a saved search.
- action.summary_index._name = <string>: Add the name of the summary index you created in step 1.
- Add additional data to your events going into a summary index using this key: [[action.summary_index.<field> = <string>]]: Add additional field/value pairs to events going into your summary index. Add as many as you like.
Example of a summary index configuration
This example shows a configuration for a summary index of Web statistics as it might appear in savedsearches.conf. The keys listed below enable summary indexing for the saved search "MonthlyWebstatsReport", and append the field Webstatsreport with a value of 2008 to every event going into the summary index.
#name of the saved search = Apache Method Summary [Apache Method Summary] # sets the search to run at each search interval counttype = always # enable the search schedule enableSched = 1 # search interval in cron notation (this means "every 5 minutes") schedule = */12**** # id of user for saved search userid = jsmith # search string for summary index search = index=apache_raw startminutesago=30 endminutesago=25 | extract auto=false | stats count by method # enable summary indexing action.summary_index = 1 #name of summary index to which search results are added action.summary_index._name = summary # add these keys to each event action.summary_index.report = "count by method"
Other configuration files affected by summary indexing
In addition to the settings you configure in savedsearches.conf, there are also settings for summary indexing in indexes.conf and alert_actions.conf.
Indexes.conf specifies index configuration for the summary index. Alert_actions.conf controls the alert actions (including summary indexing) associated with saved searches.
Caution: Do not edit settings in alert_actions.conf without explicit instructions from Splunk staff.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.