Getting Data In

How do I route sistats to a specific index?

a212830
Champion

Hi,

I want to create a summary index for license information, tracking pool, idx and sourcetype. I am using the following search, which will run daily, overnight.

index=_internal  source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | sistats sum(b) as b by _time, pool,  st, idx

I have two questions, as I've never used sistats before.

1. How do I route this to a specific index, as I don't want to use "summary",
2. I get a number of additional fields created - what are they?

  • psrsvd_ct_b, psrsvd_gc, psrsvd_nc_b, psrsvd_sm_b, psrsvd_v...
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hey buddy - So think of the sistats command like what the indexers send to the SH. That helped me wrap my brain around it at first.

Given our history, I know I can tease you a little here: sounds like someone didn't read the manual 😉

When using Summary Indexing, there's a UI friendly way of managing the target index and such. Similarly, the fields added are explained in a topic that couldn't be more spot on to what you're looking for: Fields added to summary-indexed data by the si- summary indexing commands

Now, cause I have so much love for you, I'll share a bit more here. It helped me a lot, when I was learning about summary indexing, to play with the Collect command. That's essentially the command that does the real summary indexing that the UI adds for ya. But playing with that command directly, along with the run_in_preview option, allowed me to learn rapidly rather than waiting for my scheduled search to populate the summary indexing.

Another thing that helped me may be counter intuitive. As a way to validate my summary indexing, I would run my summary indexing search with extra commands after that represented how i wanted to use that summary indexing data. So in your example, that might be:

index=_internal source=*license_usage.log* type="Usage" 
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) 
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) 
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) 
| bin _time span=1d 
| sistats sum(b) as b by _time, pool, st, idx
| stats sum(b) as b by _time, pool, st, idx

Notice how my stats command essentially is the same as the sistats? That's how I would validate it's what I wanted.

And while we're here, might I suggest the following adjustments to your search string:

index=_internal sourcetype=splunkd source=*license_usage.log* type="Usage" 
| foreach h s idx 
    [ eval <<FIELD>>=if(len(<<FIELD>>)=0 OR isnull(<<FIELD>>),"(SQUASHED)",<<FIELD>>) ]
| bin span=1d _time
| sistats sum(b) BY _time, pool, st, idx

Notice the addition of sourcetype to the base, switch to foreach, and removal of "as b" to the sistats (not needed for si* commands).

Ok, stopping there. Let us know what you think! Good to hear from you!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...