Knowledge Management

About psrsvd field which is made by sitimechart command

Shuhei052492
Path Finder

Hello,
I would like to confirm my understanding on the following manual, and know how to get the max value from psrsvd_gc.

First I have saw this caution in the manual.
Caution: Use of these fields and their encoded data by any search commands other than the si* summary indexing commands is unsupported. The format and content of these fields can change at any time without warning.

I have understood that the psrsvd's field cound not be aggregated by streaming comand like stats,chart.
Is that collect?
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Usesummaryindexing

If that is collect, I have no idea how to aggregate the maximum value in summary index data.

The summary index data are created by the following search.
"index=_internal | sitimechart span=1m count by sourcetype"
And there are the following fields to be stored as event in "summary" by "Log event" function.

psrsvd_gc=$result.psrsvd_gc$,
psrsvd_v=$result.psrsvd_v$

And I would like to search max value of "psrsvd_gc" per week.
I appreciate any tips and advice, suggestion.

Best regards,

0 Karma
1 Solution

woodcock
Esteemed Legend

Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use sistats. Let's say that you are putting a value called count into your summary index. Just pull out the maximum of that value using index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).

View solution in original post

0 Karma

woodcock
Esteemed Legend

Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use sistats. Let's say that you are putting a value called count into your summary index. Just pull out the maximum of that value using index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).

0 Karma

Shuhei052492
Path Finder

I appreciate your comment.
I will add field of "count" and get the max result.
I am just curious about psrsvd field. Is this field useful?
I do not understand the point to use si- command.

If you have any idea, please let me know.

0 Karma

weidertc
Communicator

One reason to use the si- commands is to aggregate values for storage (base search or summary index).  this is the quickest way to run searches.  Simply throwing a table or fields command at the end of a base search often reduces performance, even if it may reduce server load.

Another reason to use the si- commands is to preserve the integrity of the values in aggregate when in summarized form.  if you were to use a stats command to summarize data for summary index or base search, and then another stats command right after it in post-process or to further aggregate from a summary index (because the original intervals need to be further combined), you will end up with incorrect quantitative values due to weighting issues.

Take, for example, you have just 2 intervals of response times.  the first interval has 2 events  with both having 10 second response time each.  the 2nd interval has 1 event with 1 second response time.  a double-aggregate average will yield 5.5 second average response time ( (10 + 1) / 2 ), but a true and correct average is 7 seconds ( (10 + 10 + 1 ) / 3 ).  transforming commands otherwise lose the original values still required, so si- commands store these in special fields.

I honestly don't know specifically what most of the other psrsvd fields do, but it is likely for similar reasons and to help users in using the same familiar format for the final and regular stats command without ever knowing that you're actually querying summarized data.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...