I'm trying to dig deeper into summary indexing, but at this point I feel a bit confused.
What I did so far is:
- created an index to use for summaries (to not to use the built in summary)
- stored some of my search results with collect: | collect index=my_summary_index sourcetype=my_summary_sourcetype
I was looking at the si-commands, sistats in the first place.
What I don't get is, how do I store the results from sistats in a summary index?
Do I have to add collect to after sistats, or I can't use it in an inline search, and I have to schedule it and enable summary indexing for the report?
↧