Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Accessing Fields in Summary Index

bzam
Explorer
‎03-29-2021 10:36 AM

I was curious if anyone could help me understand or point me to documentation that refers to accessing fields in a summary index.  

I've found that running eval against a known field (bytes) that I'm writing to the summary index results in no information being populated for the eval field 'gb':

index=my_summary
| eval gb=bytes/(pow(1024, 3))
| stats sum(gb) by _time

If I perform a stats call, then the field appears to be exposed and I can utilize the eval to populate the 'gb' field: 

index=my_summary
| stats sum(bytes) as bytes by _time
| eval gb=bytes/(pow(1024, 3))
| stats sum(gb) by _time

Just curious if there was any insight to why this may be the case.  I wouldn't expect it to work this way.

Thank you!

Labels (1)
Labels
0 Karma
Reply

impurush
Contributor
‎03-29-2021 12:33 PM

Hi @bzam,

I tried your query and it looks working for me. I took one of the fields from the summary index and replaced the bytes in your query, it worked both ways.

Please check whether the bytes field is there in your summary index and also tried to step by step, like run the query until, you calculate the GB and see your fields section whether the GB variable is extracted or not, then you can apply the stats function on top of that.

Reply

bzam
Explorer
‎04-01-2021 04:29 PM

I think I found the issue here:

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/UseSireportingcommands

The search against the summary index cannot create or modify fields before the | stats <args> command.

So, if the field is 'prestats reserved', then new fields cannot be created from them, using eval for instance, until the stats command is encountered, which is the behavior that I'm seeing.

 

 

0 Karma
Reply

bzam
Explorer
‎04-01-2021 03:58 PM

Thanks for the feedback @impurush!  Possibly I'm not populating the summary index properly.  Here is my populating sistats

| sistats count(session_id) as session_count, sum(bytes) as bytes, sum(bytes_in) as bytes_in, sum(bytes_out) as bytes_out, sum(duration) as duration, by src_location, dest_port, action, _time

When I run 'fieldsummary', I do not see the "bytes" field, only the aggregation fields, although  I do see the bytes field associated with the internal mechanisms of the summary index i.e. psrsvd_ct_bytes, psrsvd_sm_bytes.

I think I'll hit the docs site for another round of learning to be sure I'm understanding.

Ethan

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top