Thanks for explanation, no doubt you are the best even other than Splunk documents...only bad is i Observed all the scenarios surrounding your TMDB app....other than that you are awesome...but EOD your great teacher....
Thanks for taking the time to walk us step-by-step how to implement this. I have attempted to do this as well and I'm running into an issue. It appears that after I create the report and I currently have it configured to run every hour, however ; the results for the first run are the only ones populating to the summary index. Subsequent reports are not populating the summary index and I think this is part of the reason, I'm not seeing my dashboard extract the right information. Any ideas why this might be happening? Thanks in advance.
Actually i was searching for Summary index documents in google. But finally you have showed an hands on again. Great sir!!. I'm really happy now. I also kindly request you to create videos for Custom visualization creation!!
Thank you for sharing this educational video. I created a saved search as report with summary index enabled. This scheduled search is to collect the data for the past 30 days with a frequency of 1 hour.When I open the link from the email generated, I get this response in splunk "There are no results because the first scheduled run of the report has not completed." The query I used was: sourcetype="pcf:Log" AND cf_space_name=perf AND cf_org_name=* | timechart span=1h dc(span_id) by cf_org_name usenull=f useother=f limit=10
It's just saying your saved search didn't ran. Can you check your saved search schedule and also check in internal index whether that search is not skipped.
Thank you so much Sir !!! Very detailed Explanation. How can we add data Through con files(Instead of manual upload) - Is it possible to put a video for this one.
Hi Sir, while planning to implement summary indexing for our project, I came across few doubts. 1. Summary index can be applied in clustering environment? 2. If yes, where I should create index “tmdb_summary”? Create index in cluster master and push the bundle to indexers? 3. Do we need to do anything with search heads apart from creating scheduled search? My questions might be wrong but seeking your inputs😊
Do you have any complete course on splunk? On udemy, or any other learning plataform? I mean any course that will cover everything till splunk archtect....
you can push to summary without addinfo as well...but using the addinfo it will add the earliest, latest and search time of the schedule report which can be useful in different scenario.
Hi Sir, I have a summary index that will be triggered by a summary search through schuduler....Is there a way to find out how many times that index triggered for a day...any internal field that tells the count for one execution... Any suggestions would be really helpful
@@splunk_ml no sir actually I need to see how many times that summary index executed.... for example if I run the summary search 3 times it will trigger the summary index 3 times right....how to find the execution count of the summary index...any internal fields that I can look?
@@Sugreev916 I dont think there is any internal fields which holds the value of how many times the summary index updated. But just wondering me why you want to know that count? are you trying to find whether there is any gap or overlap happened to your summary index?
@@splunk_mlactually I am creating a support dashboard that gives the deatils about the summary search and summary index so if it doesn't match I will trigger an alert
Mostly setting up summary index comes under Admin side, filling up summary index comes under app development side that includes back filling of summary index as well.
We can if you are continuously pushing data to summary index for those 4 months.Now keep in mind that summary indexes are generally not meant to hold event to event wise copy of the other index from which we are populating summary index.
@@vikkyc2555 You need to check the query which is populating the summary index. Its generally done through saved searches. so either you can check all the saved search run history or you can access the summary index using "index=" from search prompt. There also you can see what months data pushed to summary index by checking event _time value.
@@splunk_ml okay ...also just now I created one report which send the CPU usage report from _interspection index to summary index on every one hour time interval as per crone job as per developer guidence and I am new to SPL so please could you provide the command to check whether that CPU report is sending to _interspection to summary index?
@@splunk_mlCurrently I am with Splunk administration and started giving hands on to my friends and colleagues. Is there any good openings on this for MNC's???
@@splunk_mlThanks for the info. It's good to have some discussion with you on few of the main concepts of Splunk. Can I get your contact number if you don't mine??
Which ever video I see of yours find some thing new which never used in practical.... Thank you for the videos
Thank you 🙏
Awesome video - I am happy that there is you who explains splunk - thank you and please keep going :-)
Thanks for explanation, no doubt you are the best even other than Splunk documents...only bad is i Observed all the scenarios surrounding your TMDB app....other than that you are awesome...but EOD your great teacher....
Thanks for taking the time to walk us step-by-step how to implement this. I have attempted to do this as well and I'm running into an issue. It appears that after I create the report and I currently have it configured to run every hour, however ; the results for the first run are the only ones populating to the summary index. Subsequent reports are not populating the summary index and I think this is part of the reason, I'm not seeing my dashboard extract the right information. Any ideas why this might be happening? Thanks in advance.
Actually i was searching for Summary index documents in google. But finally you have showed an hands on again. Great sir!!. I'm really happy now. I also kindly request you to create videos for Custom visualization creation!!
😄 cool man...enjoy..also please spread the news about this channel...I need your support....regarding custom viz its coming very soon.
Splunk & Machine Learning Sure sir👍
Splunk & Machine Learning hi
Thank you for sharing this educational video. I created a saved search as report with summary index enabled. This scheduled search is to collect the data for the past 30 days with a frequency of 1 hour.When I open the link from the email generated, I get this response in splunk
"There are no results because the first scheduled run of the report has not completed." The query I used was:
sourcetype="pcf:Log" AND cf_space_name=perf AND cf_org_name=* | timechart span=1h dc(span_id) by cf_org_name usenull=f useother=f limit=10
It's just saying your saved search didn't ran. Can you check your saved search schedule and also check in internal index whether that search is not skipped.
Nicely explained, thanks!!!
Very informative, Thank you
Thank you so much Sir !!! Very detailed Explanation.
How can we add data Through con files(Instead of manual upload) - Is it possible to put a video for this one.
Hi Satya,
I already posted a video for this. Please find the below link.
th-cam.com/video/JshI6JT60Rs/w-d-xo.html
Sid
@@splunk_ml oh Thank you Sir!!!!
Joined today. I should have joined a long time ago.
You are Genius... Thanks a Ton
Thanks Vikas 👍
Nice video thank you very much, I would like to see a video on how to do a field extraction on summary
Hi Sir, while planning to implement summary indexing for our project, I came across few doubts.
1. Summary index can be applied in clustering environment?
2. If yes, where I should create index “tmdb_summary”? Create index in cluster master and push the bundle to indexers?
3. Do we need to do anything with search heads apart from creating scheduled search?
My questions might be wrong but seeking your inputs😊
Hi Mani,
You will get all your answers in the below link,
docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Clustersandsummaryreplication
Great video! Do you have experience with metric indexes on how to send metrics and run searches off the metric index for increased performance?
Hi Jose,
Yes. I will cover them soon. stay tuned.
Sid
Great Video!! Try to make a video on Splunk data storage too.
Sure man ☺️
Do you have any complete course on splunk? On udemy, or any other learning plataform? I mean any course that will cover everything till splunk archtect....
In this channel only I am covering till splunk architect level. I am not active in any other platform.
Sir pls try to create a video on report acceleration too
Do we need to use addinfo command also or we can direct push with collect cmd only?
you can push to summary without addinfo as well...but using the addinfo it will add the earliest, latest and search time of the schedule report which can be useful in different scenario.
Sir thanks for Splunk knowledge.... could you please help me sir how to show license utilisation by index.
Hi Sai,
you can refer the below link.
answers.splunk.com/answers/355874/how-to-find-license-usage-by-indexes.html
Hi Sir, I have a summary index that will be triggered by a summary search through schuduler....Is there a way to find out how many times that index triggered for a day...any internal field that tells the count for one execution...
Any suggestions would be really helpful
You can see the "view recent" option of that schedule search ...It will show how many events it picked up for a particular run.
@@splunk_ml no sir actually I need to see how many times that summary index executed.... for example if I run the summary search 3 times it will trigger the summary index 3 times right....how to find the execution count of the summary index...any internal fields that I can look?
@@Sugreev916 I dont think there is any internal fields which holds the value of how many times the summary index updated. But just wondering me why you want to know that count? are you trying to find whether there is any gap or overlap happened to your summary index?
@@splunk_mlactually I am creating a support dashboard that gives the deatils about the summary search and summary index so if it doesn't match I will trigger an alert
Kindly do a video on PREDICT function.
Yes I have a plan to cover all the splunk commands eventually.
Sir, This is developing side are administration side
Mostly setting up summary index comes under Admin side, filling up summary index comes under app development side that includes back filling of summary index as well.
Hi , using summary index can we search the data for 4 months in other index which data retention policy is only one month?
We can if you are continuously pushing data to summary index for those 4 months.Now keep in mind that summary indexes are generally not meant to hold event to event wise copy of the other index from which we are populating summary index.
@@splunk_ml but how will check whether we have moved the data in to that summary index since last 4months? This is new client for us
@@vikkyc2555 You need to check the query which is populating the summary index. Its generally done through saved searches. so either you can check all the saved search run history or you can access the summary index using "index=" from search prompt. There also you can see what months data pushed to summary index by checking event _time value.
@@splunk_ml okay ...also just now I created one report which send the CPU usage report from _interspection index to summary index on every one hour time interval as per crone job as per developer guidence and I am new to SPL so please could you provide the command to check whether that CPU report is sending to _interspection to summary index?
@@vikkyc2555 You can directly check your summary index just like other index using the below command,
"index="
how is the next feature on Splunk administrator
I didn't get your question Ravi. Please elaborate.
@@splunk_mlCurrently I am with Splunk administration and started giving hands on to my friends and colleagues. Is there any good openings on this for MNC's???
Yes...Splunk admin has good demand.
@@splunk_mlThanks for the info. It's good to have some discussion with you on few of the main concepts of Splunk. Can I get your contact number if you don't mine??