Getting Data In

How do I route sistats to a specific index?

a212830
Champion

Hi,

I want to create a summary index for license information, tracking pool, idx and sourcetype. I am using the following search, which will run daily, overnight.

index=_internal  source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | sistats sum(b) as b by _time, pool,  st, idx

I have two questions, as I've never used sistats before.

1. How do I route this to a specific index, as I don't want to use "summary",
2. I get a number of additional fields created - what are they?

  • psrsvd_ct_b, psrsvd_gc, psrsvd_nc_b, psrsvd_sm_b, psrsvd_v...
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hey buddy - So think of the sistats command like what the indexers send to the SH. That helped me wrap my brain around it at first.

Given our history, I know I can tease you a little here: sounds like someone didn't read the manual 😉

When using Summary Indexing, there's a UI friendly way of managing the target index and such. Similarly, the fields added are explained in a topic that couldn't be more spot on to what you're looking for: Fields added to summary-indexed data by the si- summary indexing commands

Now, cause I have so much love for you, I'll share a bit more here. It helped me a lot, when I was learning about summary indexing, to play with the Collect command. That's essentially the command that does the real summary indexing that the UI adds for ya. But playing with that command directly, along with the run_in_preview option, allowed me to learn rapidly rather than waiting for my scheduled search to populate the summary indexing.

Another thing that helped me may be counter intuitive. As a way to validate my summary indexing, I would run my summary indexing search with extra commands after that represented how i wanted to use that summary indexing data. So in your example, that might be:

index=_internal source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| sistats sum(b) as b by _time, pool, st, idx
| stats sum(b) as b by _time, pool, st, idx

Notice how my stats command essentially is the same as the sistats? That's how I would validate it's what I wanted.

And while we're here, might I suggest the following adjustments to your search string:

index=_internal sourcetype=splunkd source=*license_usage.log* type="Usage" 
| foreach h s idx 
    [ eval <<FIELD>>=if(len(<<FIELD>>)=0 OR isnull(<<FIELD>>),"(SQUASHED)",<<FIELD>>) ]
| bin span=1d _time
| sistats sum(b) BY _time, pool, st, idx

Notice the addition of sourcetype to the base, switch to foreach, and removal of "as b" to the sistats (not needed for si* commands).

Ok, stopping there. Let us know what you think! Good to hear from you!

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...