Hello,
I am quite green at Splunk and have a problem I could use some help with.
My data is coming from a postgres database via the Splunk DB Connect App, where each input (source) into Splunk is a postgres table.
I am trying to join two sources, which I can do in a regular search, but am trying to improve performance since my join search is running quite long, so I am looking at summary indexing.
The two sources are as follows:
**action_times**
action_time
act_id
**actions_table**
act_id
operation
Here is the base search that returns the expected results.
source="action_times" | join type=inner act_id [search source="actions_table"] | stats count by operation
I have been able to set up a summary index and schedule a report which runs the search above, but the `actions_table` really does not update often so most subsequent runs of the scheduled report return no events, despite there being tens of thousands of events from `action_times`.
**What I would like to do...**
- I would like to use summary indexing to pull in the joined data, either with an actual join command, or without.
If there is any other helpful information I can provide, please let me know.
Thank you,
↧
