Splunk® Enterprise

Alerting Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Enable summary indexing

Summary indexing is available on scheduled alerts. It can help you perform analysis or report on large amounts of data over long time ranges. Typically, this is time consuming and can impact performance if several users are running similar searches on a regular basis.

Ensure that the alert's search generates statistical or summary data.

1. Using the top-level navigation bar, select Settings>Searches, Reports, and Alerts.
2. Select the alert to open the alert detail page.
3. To enable the summary index to gather data on a regular interval, set Alert condition to '"Always".
4. Select Enable under Summary Indexing.

  • Note that this option is unavailable for real-time alerts.
  • If not already specified, this sets the Alert condition to "Always".

5. Click Save.

Searches and summary indexing

To use summary indexing with an alert, create a search that computes statistics or a summary for events over a period of time. Search results are saved into a summary index that you designate. You can search over this smaller summary index instead of working with the larger original dataset.

It is typical to use reporting commands in a search that populates a summary index. See Use summary indexing for increased reporting efficiency in the Knowledge Manager manual.

Last modified on 28 January, 2016
Triggered alerts
Update alerts from Settings

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters