Backfilling the number of purchases by city
In the previous recipe, you generated an hourly summary, and then, after waiting for 24 hours, you were able to report on the summary data over a 24-hour period. However, what if you wanted to report over the past 30 days or even 3 months? You would have to wait a long time for your summary data to build up over time. A better way is to backfill the summary data over an earlier time period, assuming you have raw data for this time period in Splunk.
In this recipe, you will create a search that identifies the number of purchases by city on a given day, and write this search to a summary index. You will leverage the IP location database built into Splunk to obtain the city based on IP address in the results. You will then execute a script that comes bundled with Splunk in order to backfill the summary for the previous 30 days. Following this, you will use the generated summary data to quickly report on the number of purchases by city for the past...
