topic Re: About psrsvd field which is made by sitimechart command in Knowledge Management

About psrsvd field which is made by sitimechart command

Shuhei052492 — Wed, 30 Sep 2020 02:09:09 GMT

Hello,
I would like to confirm my understanding on the following manual, and know how to get the max value from psrsvd_gc.

First I have saw this caution in the manual.
Caution: Use of these fields and their encoded data by any search commands other than the si* summary indexing commands is unsupported. The format and content of these fields can change at any time without warning.

I have understood that the psrsvd's field cound not be aggregated by streaming comand like stats,chart.
Is that collect?
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Usesummaryindexing

If that is collect, I have no idea how to aggregate the maximum value in summary index data.

The summary index data are created by the following search.
"index=_internal | sitimechart span=1m count by sourcetype"
And there are the following fields to be stored as event in "summary" by "Log event" function.

psrsvd_gc=$result.psrsvd_gc$,
psrsvd_v=$result.psrsvd_v$

And I would like to search max value of "psrsvd_gc" per week.
I appreciate any tips and advice, suggestion.

Best regards,

Re: About psrsvd field which is made by sitimechart command

woodcock — Mon, 09 Sep 2019 13:59:07 GMT

Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use sistats. Let's say that you are putting a value called count into your summary index. Just pull out the maximum of that value using index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).

Re: About psrsvd field which is made by sitimechart command

Shuhei052492 — Tue, 10 Sep 2019 07:49:40 GMT

I appreciate your comment.
I will add field of "count" and get the max result.
I am just curious about psrsvd field. Is this field useful?
I do not understand the point to use si- command.

If you have any idea, please let me know.

Re: About psrsvd field which is made by sitimechart command

weidertc — Thu, 02 Dec 2021 20:14:05 GMT

One reason to use the si- commands is to aggregate values for storage (base search or summary index). this is the quickest way to run searches. Simply throwing a table or fields command at the end of a base search often reduces performance, even if it may reduce server load.

Another reason to use the si- commands is to preserve the integrity of the values in aggregate when in summarized form. if you were to use a stats command to summarize data for summary index or base search, and then another stats command right after it in post-process or to further aggregate from a summary index (because the original intervals need to be further combined), you will end up with incorrect quantitative values due to weighting issues.

Take, for example, you have just 2 intervals of response times. the first interval has 2 events with both having 10 second response time each. the 2nd interval has 1 event with 1 second response time. a double-aggregate average will yield 5.5 second average response time ( (10 + 1) / 2 ), but a true and correct average is 7 seconds ( (10 + 10 + 1 ) / 3 ). transforming commands otherwise lose the original values still required, so si- commands store these in special fields.

I honestly don't know specifically what most of the other psrsvd fields do, but it is likely for similar reasons and to help users in using the same familiar format for the final and regular stats command without ever knowing that you're actually querying summarized data.