topic Re: Summary collection of summary indexed data in Knowledge Management

Summary collection of summary indexed data

sranga — Thu, 07 Oct 2010 05:42:26 GMT

We have a saved-search that retrieves data from an existing summary index. It is of the following form:

index=summary s_name=blah | stats count as inner_count by field1 field2 _time | 
bucket span=1mon _time | sistats sum(inner_count) as outer_count by field1 field2 _time

The above search is saved with a marker: s_name=blah2. When I try to retrieve this in a dashboard using the following query, the outer_count always shows up as 0.

index=summary s_name=blah2 | stats sum(inner_count) as outer_count by field1 field2 _time

Any help is appreciated.

Ranga

Re: Summary collection of summary indexed data

Lowell — Thu, 07 Oct 2010 06:28:25 GMT

Your final sistats command on your summary indexing search should not output a field called "inner_count".

Which you should be able to confirm with the search:

index=summary s_name=blah2 inner_count=*

(I'm not 100% sure what this looks like with the sistats, I normally prefer stats and simply avoid any of the complex stuff that sistats handles that stats does not. So I could be wrong about that search.)

What I do not full understand is how your second search sum(inner_count) give a value of 0. If inner_count is missing completely, you should get a "missing field" error in your search.

Update:

Never mind, I just figured out that sistats seems to just pretty much ignore field renaming using "as"; so "inner_count" is probably the field name that is saved in the summary index and not "outer_count".

Out of curiosity, if you take the secondary summary index out of the equation, does it work?

index=summary s_name=blah | stats count as inner_count by field1 field2 _time | bucket span=1mon _time | sistats sum(inner_count) by field1 field2 _time | stats sum(inner_count) as outer_count by field1 field2 _time

Re: Summary collection of summary indexed data

sranga — Fri, 08 Oct 2010 04:54:06 GMT

Thanks. If sistats ignores field renaming, my first summary-indexed query would also not function right?

Re: Summary collection of summary indexed data

sranga — Sat, 09 Oct 2010 01:00:53 GMT

When I run the following search: index=summary report=blah2 | stats sum(inner_count) by field1 field2 _time, i do see "mon_count" being displayed as a "field" under the "Other interesting fields" section. However when I try to use it in the stats command it doesn't work.

Re: Summary collection of summary indexed data

Lowell — Sat, 09 Oct 2010 01:09:21 GMT

I'm not familiar with the "mon_*" prefixed fields, but then again I don't know all that much about how the si search commands summarized your fields either, so this could be normal. Well, at least you've been able to prove that it's not a summary indexing problem, it's something in your combination of sistats ... | stats ..., or it's a bug.

Re: Summary collection of summary indexed data

sranga — Mon, 28 Sep 2020 09:18:55 GMT

Sorry. I meant to say "outer_count". The outer_count field gets displayed in the "Other interesting fields" section. outer_count is defined in the summary index query (in the question above).