Using summary index events in a query
After the query to populate the summary index has run for some time, we can use the results in other queries.
If you're in a hurry, or need to report against slices of time before the query was created, you will need to "backfill" your summary index. See the How and when to backfill summary data section for details about calculating summary values for past events.
First, let's look at what actually goes into the summary index:
08/15/2012 10:00:00, search_name="summary - count by user", search_now=1345046520.000, info_min_time=1345042800.000, info_max_time=1345046400.000, info_search_time=1345050512.340, count=17, user=mary
Breaking this event down, we have:
08/15/2012 10:00:00: This is the time at the beginning of this block of data. This is consistent with howtimechartandbucketwork.search_name="summary - count by user": This is the name of the search. This is usually the easiest way to find the results you are interested in.search_now ... info_search_time...
