• About Preview
  • About Preview
    • Welcome to Splunk Preview!
    • Installing Splunk Preview
    • Preview license information
    • Important changes in Splunk Preview
    • About Splunk Preview documentation
    • Developers involved
    • Tell us what you think
  • Known Issues in this Preview
    • General issues
    • Windows-specific issues
• New Splunk Web features
  • Changes to Splunk Web
    • Dashboard elements
    • Admin navigation
• New search-related features
  • crawl
    • Use crawl
    • Save a crawl
    • Configure crawl
    • Command syntax
    • Arguments
    • Examples
    • crawl.conf
  • Search command: addinfo
    • Syntax
    • Arguments
    • Examples
  • Search command: collect
    • Syntax
    • Arguments
    • Examples
  • Search command: eventstats
    • Syntax
    • Arguments
    • Examples
  • Search command: makemv
    • Syntax
    • Arguments
    • Examples
  • Search command: mvcombine
    • Syntax
    • Arguments
    • Examples
  • Search command: mvexpand
    • Syntax
    • Arguments
    • Examples
  • Search command: nomv
    • Syntax
    • Arguments
    • Examples
  • Search command: overlap
    • Syntax
    • Arguments
    • Examples
  • Search command: rawstats
    • Syntax
    • Arguments
    • Examples
• New reporting features
  • Summary indexing
    • How summary indexing works
    • Search commands useful to summary indexing
    • How to configure summary indexing
  • Configure summary indexing
    • Set up summary indexing via Splunk Web
    • Configure summary indexing via savedsearches.conf
    • Other configuration files affected by summary indexing
  • Best practices for summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• New application and configuration features
  • Applications
    • View and manage applications
    • Browse SplunkBase
  • Indexes
    • View and manage indexes
    • Create new index
  • Configuration file architecture changes
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• New Windows features
  • Install Splunk on Windows
    • Start Splunk
    • Install or upgrade license
    • Uninstall Splunk
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
    • Hear from the developers!
  • WMI input
    • Security and remote access considerations
    • Configure WMI input
    • Source and source type for WMI data
    • Hear from the developers!

Configure summary indexing

This page contains information to help you set up summary indexing for any saved search via Splunk Web, and customize it further by editing savedsearches.conf. For an introduction to summary indexing refer to Summary indexing.

Set up summary indexing via Splunk Web

Saving results to a summary index is an alert action. Configure summary indexing as an alert action for any scheduled saved search.

1. Create a scheduled search in the Saved searches heading of the Admin page.
2. Select Run this search on a schedule to configure alert properties.
3. Set the Enable summary indexing alert property
4. Optionally, add a field/value pair to add to search results obtained by the scheduled saved search.

Note: Currently, you can only add one field/value pair when configuring summary indexing in Splunk Web. You can add as many as you like if you add them by editing savedsearches.conf.

Configure summary indexing via savedsearches.conf

The information in this section explains how to further configure summary indexing once you have set it up in Splunk Web.

Note: You must set up summary indexing for a saved search in Splunk Web before you configure additional settings in savedsearches.conf.

When you enable summary indexing for a saved search in Splunk Web, Splunk automatically generates a stanza in savedsearches.conf. Customize summary indexing by editing the generated stanza. Splunk names the stanza based on the name of the saved search for which you enabled summary indexing, like this: [summary_savedsearchname].

Summary indexing keys:

Example:
This example shows a configuration for a summary index of Web statistics. The keys listed below enable summary indexing for the saved search "MonthlyWebstatsReport", and append the field Webstatsreport witht a value of 2008 to every event going into the summary index.

# name of the summary index= MonthlyWebstatsReport
[summary_MonthlyWebstatsReport]
# enable summary indexing
action.summary_index = 1   
# add these keys to each  event
action.summary_index.Webstatsreport=2008

Other configuration files affected by summary indexing

In addition to the settings you configure in savedsearches.conf, summary indexing requires that settings exist in indexes.conf, and alert_actions.conf. Splunk ships with the necessary default settings:

• indexes.conf: A stanza with the index configuration information for the summary index.
• alert_actions.conf: Settings that control the alert actions (including summary indexing) associated with saved searches.

Caution: Do not edit settings in alert_actions.conf without explicit instructions from Splunk staff.