https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24016#M202 <P>Yeah, that's what I've ended up doing. I was trying avoid large result collections, only wanting to keep the top X results each time. (Not exactly what I wanted, but good enough for a check mark.)</P> <P>Thanks!</P> Tue, 03 Aug 2010 21:30:42 GMT twinspop 2010-08-03T21:30:42Z https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24014#M200 <P>My scheduled search:</P> <PRE><CODE>[Summary Logins Per Second] action.summary_index = 1 action.summary_index._name = lgn-stats cron_schedule = 10 5-17 * * 1-5 dispatch.earliest_time = -15m@m dispatch.latest_time = -5m@m displayview = flashtimeline enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = flashtimeline search = SYSCODE=LGN-* | sitop _time vsid = gc6frvm6 </CODE></PRE> <P>After running through a few cycles this morning, I ran this search:</P> <PRE><CODE>index=lgn-stats search_name="Summary Logins Per Second" | top _time </CODE></PRE> <P>Our app is particularly busy at the top of the hour. I'm trying to grab the busiest seconds at the top 10 minutes of every hour (X:55:00 - Y:05:00) for monthly reporting. However, the SI search above is returning total events for the entire 10 minutes as the top entries, followed by the top seconds that I really want. Example:</P> <PRE><CODE>time count percent 1 8/2/10 5:55:00.000 AM 55770 inf 2 8/2/10 6:55:00.000 AM 34025 inf 3 8/2/10 4:55:00.000 AM 24479 inf 4 8/2/10 5:56:59.000 AM 155 inf 5 8/2/10 6:00:05.000 AM 144 inf 6 8/2/10 5:58:40.000 AM 137 inf 7 8/2/10 5:59:30.000 AM 136 inf 8 8/2/10 5:58:42.000 AM 134 inf 9 8/2/10 6:00:12.000 AM 131 inf 10 8/2/10 5:59:25.000 AM 128 inf </CODE></PRE> <P>Apparently I've misunderstood something basic about the SI command set. Any tips?</P> <P>Thanks, Jon</P> Mon, 02 Aug 2010 22:16:13 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24014#M200 twinspop 2010-08-02T22:16:13Z https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24015#M201 <P>I think the search you want is:</P> <PRE><CODE>SYSCODE=LGN-* | timechart count span=1s </CODE></PRE> <P>This will return the # of matching events in 1 second buckets, or whatever bucket you want. Try it without the si. You can sort it by count to find the 'second' that has the most events. </P> <P>If it works then just tack on the sitimechart and use that recurring search to fill your summary. </P> <PRE><CODE>SYSCODE=LGN-* | sitimechart count span=1s </CODE></PRE> Tue, 03 Aug 2010 05:57:07 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24015#M201 dskillman 2010-08-03T05:57:07Z https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24016#M202 <P>Yeah, that's what I've ended up doing. I was trying avoid large result collections, only wanting to keep the top X results each time. (Not exactly what I wanted, but good enough for a check mark.)</P> <P>Thanks!</P> Tue, 03 Aug 2010 21:30:42 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-Index-search-problems/m-p/24016#M202 twinspop 2010-08-03T21:30:42Z