Knowledge Management

About psrsvd field which is made by sitimechart command

Shuhei052492
Path Finder

Hello,
I would like to confirm my understanding on the following manual, and know how to get the max value from psrsvd_gc.

First I have saw this caution in the manual.
Caution: Use of these fields and their encoded data by any search commands other than the si* summary indexing commands is unsupported. The format and content of these fields can change at any time without warning.

I have understood that the psrsvd's field cound not be aggregated by streaming comand like stats,chart.
Is that collect?
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Usesummaryindexing

If that is collect, I have no idea how to aggregate the maximum value in summary index data.

The summary index data are created by the following search.
"index=_internal | sitimechart span=1m count by sourcetype"
And there are the following fields to be stored as event in "summary" by "Log event" function.

psrsvd_gc=$result.psrsvd_gc$,
psrsvd_v=$result.psrsvd_v$

And I would like to search max value of "psrsvd_gc" per week.
I appreciate any tips and advice, suggestion.

Best regards,

0 Karma
1 Solution

woodcock
Esteemed Legend

Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use sistats. Let's say that you are putting a value called count into your summary index. Just pull out the maximum of that value using index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).

View solution in original post

0 Karma

woodcock
Esteemed Legend

Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use sistats. Let's say that you are putting a value called count into your summary index. Just pull out the maximum of that value using index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).

0 Karma

Shuhei052492
Path Finder

I appreciate your comment.
I will add field of "count" and get the max result.
I am just curious about psrsvd field. Is this field useful?
I do not understand the point to use si- command.

If you have any idea, please let me know.

0 Karma

weidertc
Communicator

One reason to use the si- commands is to aggregate values for storage (base search or summary index).  this is the quickest way to run searches.  Simply throwing a table or fields command at the end of a base search often reduces performance, even if it may reduce server load.

Another reason to use the si- commands is to preserve the integrity of the values in aggregate when in summarized form.  if you were to use a stats command to summarize data for summary index or base search, and then another stats command right after it in post-process or to further aggregate from a summary index (because the original intervals need to be further combined), you will end up with incorrect quantitative values due to weighting issues.

Take, for example, you have just 2 intervals of response times.  the first interval has 2 events  with both having 10 second response time each.  the 2nd interval has 1 event with 1 second response time.  a double-aggregate average will yield 5.5 second average response time ( (10 + 1) / 2 ), but a true and correct average is 7 seconds ( (10 + 10 + 1 ) / 3 ).  transforming commands otherwise lose the original values still required, so si- commands store these in special fields.

I honestly don't know specifically what most of the other psrsvd fields do, but it is likely for similar reasons and to help users in using the same familiar format for the final and regular stats command without ever knowing that you're actually querying summarized data.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...