I would like to confirm my understanding on the following manual, and know how to get the max value from psrsvd_gc.
First I have saw this caution in the manual.
Caution: Use of these fields and their encoded data by any search commands other than the si* summary indexing commands is unsupported. The format and content of these fields can change at any time without warning.
I have understood that the psrsvd's field cound not be aggregated by streaming comand like stats,chart.
Is that collect?
If that is collect, I have no idea how to aggregate the maximum value in summary index data.
The summary index data are created by the following search.
"index=_internal | sitimechart span=1m count by sourcetype"
And there are the following fields to be stored as event in "summary" by "Log event" function.
And I would like to search max value of "psrsvd_gc" per week.
I appreciate any tips and advice, suggestion.
Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use
sistats. Let's say that you are putting a value called
count into your summary index. Just pull out the maximum of that value using
index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).
I appreciate your comment.
I will add field of "count" and get the max result.
I am just curious about psrsvd field. Is this field useful?
I do not understand the point to use si- command.
If you have any idea, please let me know.