Databases Reference
In-Depth Information
Let's look at the following fields:
•
Search
:
source="impl_splunk_gen" | stats count by user
This is our query. Later we will use
sistats
, a special summary index
version of
stats
.
•
Start time
:
-62m@m
It may seem strange that we didn't simply say
-60m@m
, but we need
to take latency into account. See the
How latency affects summary queries
section discussed later for more details.
•
Finish time
:
-2m@m
•
Schedule and Alert
|
Schedule this search
: This checkbox needs to be
checked for the query to run on a schedule.
•
Schedule type
:
Cron
•
Cron schedule
:
2 * * * *
This indicates that the query runs on minute
2
of every hour, every day.
To accommodate for latency,
Cron schedule
is shifted after the beginning
of the hour along with the start and finish times
.
See the
How latency affects
summary queries
section discussed later for more details.
•
Summary indexing
|
Enable
: This checkbox enables writing the output
to another index.
•
Select the summary index
:
summary_impl_splunk
This is the index to write our events to.
Non-admin users are only allowed to write to the index summary.
This ability is controlled by the
indexes_edit
capability,
which only the admin role has enabled by default. See
Chapter 10
,
Configuring Splunk
, for a discussion on roles and capabilities.
•
Add fields,
: Using these fields, you can store extra pieces of information
in your summary index. This can be used to group results from multiple
summary results, or to tag results.
Search WWH ::
Custom Search