https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291039#M2556 <P>Hi all,</P> <P>I have a search that runs over eventdata from a website that runs over a few weeks of data. It should return (among other things) the average number of pageviews per user and the standard deviation of this number. I want to create a summary index of this data. I am using two transforming commands to achieve this. The final one of these I replace by its si- variant to create the summary index. However, the results are not the same as when I just run the original search (over the same time range) against the raw data. </P> <P>The search looks like this:</P> <P>event="pageview"<BR /> | rename ...<BR /> | eval Variant = ... , deviceGroup = ...<BR /> | stats count as pageview_per_user by userID, Variant, deviceGroup<BR /> | sistats dc(userID) as users, sum(pageview_per_user) as pageviews, avg(pageview_per_user) as avg_pv, stdev(pageview_per_user) as std_pv by Variant, deviceGroup<BR /> In particular the total number of pageviews is way off when I use the summary index. I am running the search that populates the summary index over a time range: 1 august until <A href="mailto:-1h@h" target="_blank">-1h@h</A>. It runs every hour.</P> <P>What could be the problem here, could it be the use the two (si)stats commands?</P> <P>By the way, I realize I could probably use report acceleration here, but I want to understand summary indexing better.</P> <P>Best, Jacob</P> Tue, 29 Sep 2020 15:26:36 GMT JacobPN 2020-09-29T15:26:36Z https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291039#M2556 <P>Hi all,</P> <P>I have a search that runs over eventdata from a website that runs over a few weeks of data. It should return (among other things) the average number of pageviews per user and the standard deviation of this number. I want to create a summary index of this data. I am using two transforming commands to achieve this. The final one of these I replace by its si- variant to create the summary index. However, the results are not the same as when I just run the original search (over the same time range) against the raw data. </P> <P>The search looks like this:</P> <P>event="pageview"<BR /> | rename ...<BR /> | eval Variant = ... , deviceGroup = ...<BR /> | stats count as pageview_per_user by userID, Variant, deviceGroup<BR /> | sistats dc(userID) as users, sum(pageview_per_user) as pageviews, avg(pageview_per_user) as avg_pv, stdev(pageview_per_user) as std_pv by Variant, deviceGroup<BR /> In particular the total number of pageviews is way off when I use the summary index. I am running the search that populates the summary index over a time range: 1 august until <A href="mailto:-1h@h" target="_blank">-1h@h</A>. It runs every hour.</P> <P>What could be the problem here, could it be the use the two (si)stats commands?</P> <P>By the way, I realize I could probably use report acceleration here, but I want to understand summary indexing better.</P> <P>Best, Jacob</P> Tue, 29 Sep 2020 15:26:36 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291039#M2556 JacobPN 2020-09-29T15:26:36Z https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291040#M2557 <P>looks like you are doing stats over stats.<BR /> try and arrange the data according to your needs and use the <CODE>| collect</CODE> command to send the results to summary index.<BR /> read here more:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Collect">http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Collect</A></P> Wed, 16 Aug 2017 12:13:12 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291040#M2557 adonio 2017-08-16T12:13:12Z https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291041#M2558 <P>Thanks! Could you explain a little about why the stats over stats search I wrote gives the wrong results?</P> <P>And should I just replace sistats by stats, pipe everything to collect, and schedule the search to run every hour (and should I still check "Enable" under summary indexing when I save the serach?). <BR /> Sorry for my ignorance.</P> Wed, 16 Aug 2017 13:56:32 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291041#M2558 JacobPN 2017-08-16T13:56:32Z https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291042#M2559 <P>There is nothing wrong with two stats commands, as long as they are aggregating the information you want them to collect. Since the aggregation is running hourly, across a longer time frame, you need to add <CODE>_time</CODE> into the first <CODE>stats</CODE> in order to collect valid comparison data.</P> <P>Do this across your longer time frame and see how well it matches a pull from your summary for the same time frame.</P> <PRE><CODE> event="pageview" | rename ... | eval Variant = ... , deviceGroup = ... | bin _time span=1h | stats count as pageview_per_user by userID, Variant, deviceGroup, _time | stats count as users, sum(pageview_per_user) as pageviews, avg(pageview_per_user) as avg_pv, stdev(pageview_per_user) as std_pv by Variant, deviceGroup </CODE></PRE> <P>or </P> <PRE><CODE> | sistats dc(userID) as users, sum(pageview_per_user) as pageviews, avg(pageview_per_user) as avg_pv, stdev(pageview_per_user) as std_pv by Variant, deviceGroup </CODE></PRE> Wed, 16 Aug 2017 15:50:06 GMT https://community.splunk.com/t5/Knowledge-Management/Summary-indexing-and-multiple-transforming-commands/m-p/291042#M2559 DalJeanis 2017-08-16T15:50:06Z