Hi,
I want to create a summary index for license information, tracking pool, idx and sourcetype. I am using the following search, which will run daily, overnight.
index=_internal source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | sistats sum(b) as b by _time, pool, st, idx
I have two questions, as I've never used sistats before.
1. How do I route this to a specific index, as I don't want to use "summary",
2. I get a number of additional fields created - what are they?
Hey buddy - So think of the sistats command like what the indexers send to the SH. That helped me wrap my brain around it at first.
Given our history, I know I can tease you a little here: sounds like someone didn't read the manual 😉
When using Summary Indexing, there's a UI friendly way of managing the target index and such. Similarly, the fields added are explained in a topic that couldn't be more spot on to what you're looking for: Fields added to summary-indexed data by the si- summary indexing commands
Now, cause I have so much love for you, I'll share a bit more here. It helped me a lot, when I was learning about summary indexing, to play with the Collect command. That's essentially the command that does the real summary indexing that the UI adds for ya. But playing with that command directly, along with the run_in_preview
option, allowed me to learn rapidly rather than waiting for my scheduled search to populate the summary indexing.
Another thing that helped me may be counter intuitive. As a way to validate my summary indexing, I would run my summary indexing search with extra commands after that represented how i wanted to use that summary indexing data. So in your example, that might be:
index=_internal source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| sistats sum(b) as b by _time, pool, st, idx
| stats sum(b) as b by _time, pool, st, idx
Notice how my stats
command essentially is the same as the sistats
? That's how I would validate it's what I wanted.
And while we're here, might I suggest the following adjustments to your search string:
index=_internal sourcetype=splunkd source=*license_usage.log* type="Usage"
| foreach h s idx
[ eval <<FIELD>>=if(len(<<FIELD>>)=0 OR isnull(<<FIELD>>),"(SQUASHED)",<<FIELD>>) ]
| bin span=1d _time
| sistats sum(b) BY _time, pool, st, idx
Notice the addition of sourcetype to the base, switch to foreach, and removal of "as b" to the sistats (not needed for si* commands).
Ok, stopping there. Let us know what you think! Good to hear from you!