topic Re: How to create a more efficient sitimechart for distinct count? in Splunk Search

How to create a more efficient sitimechart for distinct count?

pr0n — Wed, 30 Sep 2020 03:44:29 GMT

When using index=blah | sitimechart dc(field1) by field2 It saves every single element for field1 concatenated into a new field called psrsvd_vm_field1. For me this makes for an insanely inefficient summary index with millions and millions of useless entries in the psrsvd_vm_field1 field. How can I streamline this so that it doesn't store all that information and have to sort through it every time I chart the summarized data.

Re: How to create a more efficient sitimechart for distinct count?

DavidHourani — Thu, 16 Jan 2020 15:33:57 GMT

Hi @pr0n,

If you're just looking to store the distinct count without the detailed multi-value, then all you have to do is save a timechart into a summary index using | collect instead of using sitimechart.

Cheers,
David

Re: How to create a more efficient sitimechart for distinct count?

pr0n — Thu, 16 Jan 2020 15:36:44 GMT

How do I timechart the summary? My understanding is I need sitimechart to prepare data for proper timechart once it's summarized.

Re: How to create a more efficient sitimechart for distinct count?

DavidHourani — Thu, 16 Jan 2020 15:50:21 GMT

Well it depends on what you're trying to achieve, because if you need to be able to run a dc over any time span then you will need that inefficient mv field. But if you're only interested in keeping a specific time interval in your summary then going for the results of a timechart would do the trick for you.
It'll only save _time and dc value instead of saving _time, dcand all values.