Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Accessing Fields in Summary Index

bzam
Explorer
‎03-29-2021 10:36 AM

I was curious if anyone could help me understand or point me to documentation that refers to accessing fields in a summary index.  

I've found that running eval against a known field (bytes) that I'm writing to the summary index results in no information being populated for the eval field 'gb':

index=my_summary
| eval gb=bytes/(pow(1024, 3))
| stats sum(gb) by _time

If I perform a stats call, then the field appears to be exposed and I can utilize the eval to populate the 'gb' field: 

index=my_summary
| stats sum(bytes) as bytes by _time
| eval gb=bytes/(pow(1024, 3))
| stats sum(gb) by _time

Just curious if there was any insight to why this may be the case.  I wouldn't expect it to work this way.

Thank you!

Labels (1)
Labels
0 Karma
Reply

impurush
Contributor
‎03-29-2021 12:33 PM

Hi @bzam,

I tried your query and it looks working for me. I took one of the fields from the summary index and replaced the bytes in your query, it worked both ways.

Please check whether the bytes field is there in your summary index and also tried to step by step, like run the query until, you calculate the GB and see your fields section whether the GB variable is extracted or not, then you can apply the stats function on top of that.

Reply

bzam
Explorer
‎04-01-2021 04:29 PM

I think I found the issue here:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UseSireportingcommands

The search against the summary index cannot create or modify fields before the | stats <args> command.

So, if the field is 'prestats reserved', then new fields cannot be created from them, using eval for instance, until the stats command is encountered, which is the behavior that I'm seeing.

 

 

0 Karma
Reply

bzam
Explorer
‎04-01-2021 03:58 PM

Thanks for the feedback @impurush!  Possibly I'm not populating the summary index properly.  Here is my populating sistats

| sistats count(session_id) as session_count, sum(bytes) as bytes, sum(bytes_in) as bytes_in, sum(bytes_out) as bytes_out, sum(duration) as duration, by src_location, dest_port, action, _time

When I run 'fieldsummary', I do not see the "bytes" field, only the aggregation fields, although  I do see the bytes field associated with the internal mechanisms of the summary index i.e. psrsvd_ct_bytes, psrsvd_sm_bytes.

I think I'll hit the docs site for another round of learning to be sure I'm understanding.

Ethan

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...