Compatible commands with Summary Index- Why aren't...

Poojitha · ‎05-25-2022

Hi All,

I have created a summary index . I am making use of "sistats count by <fields>" to populate all the fields required. And I see those fields as well.

The issue is - On this index I am trying to use chart command and also stats count(<field>) as test (chart command in one query and stats count in another query) but its not working. There is no results returned. Instead I use stats command and populate data to summary index , both commands are working.

Please let me know why chart and stats command are not working on the summary index that I have created using sistats command . [sichart as well not working]. I am missing some technical information here.

Regards,
PNV

ITWhisperer · ‎05-25-2022

I may be wrong as I haven't used sistats, although I have used summary indexes. My interpretation of the documentation is that to retrieve the stats from the summary index created by the sistats command, you have to use the exact same command apart from substituting the sistats with stats. Similarly, for sichart and chart. You cannot mix them. Therefore, the reason you are not getting results from your summary index with chart is because they were put there by sistats (not sichart).

Compatible commands with Summary Index- Why aren't stats and chart command working?

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases