Knowledge Management
Highlighted

About psrsvd field which is made by sitimechart command

Path Finder

Hello,
I would like to confirm my understanding on the following manual, and know how to get the max value from psrsvd_gc.

First I have saw this caution in the manual.
Caution: Use of these fields and their encoded data by any search commands other than the si* summary indexing commands is unsupported. The format and content of these fields can change at any time without warning.

I have understood that the psrsvd's field cound not be aggregated by streaming comand like stats,chart.
Is that collect?
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Usesummaryindexing

If that is collect, I have no idea how to aggregate the maximum value in summary index data.

The summary index data are created by the following search.
"index=_internal | sitimechart span=1m count by sourcetype"
And there are the following fields to be stored as event in "summary" by "Log event" function.

psrsvdgc=$result.psrsvdgc$,
psrsvdv=$result.psrsvdv$

And I would like to search max value of "psrsvd_gc" per week.
I appreciate any tips and advice, suggestion.

Best regards,

0 Karma
Highlighted

Re: About psrsvd field which is made by sitimechart command

Esteemed Legend

Why are you ignoring the advice? What possible reason could you have to access these values? Do what you are supposed to do and use sistats. Let's say that you are putting a value called count into your summary index. Just pull out the maximum of that value using index = YourIndexName | sistats max(count). You do not need to know or understand how it works (which is the point of the comments in the documentation).

View solution in original post

0 Karma
Highlighted

Re: About psrsvd field which is made by sitimechart command

Path Finder

I appreciate your comment.
I will add field of "count" and get the max result.
I am just curious about psrsvd field. Is this field useful?
I do not understand the point to use si- command.

If you have any idea, please let me know.

0 Karma