Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Aggregate data from summary index

combinatorics
Explorer
‎09-24-2012 02:25 PM

Every year I get asked questions like "What was the traffic volume like last year at this time?". And every year I had to say we didn't retain logs long enough to know. But, this year we have Splunk. So I want to setup some summary searches to start capturing this information day by day so I can report on it later. I'm going to start with a simple search like this.

index=foo sourcetype=access_combined host=myhost | sistats count by root, status, method, uri_path

My question is this... If I include lots of fields in the "by" clause of sistats, will I later still be able to aggregate them if I don't care to differentiate? For example, if I summarize using the query above, but later don't care about breaking down by uri_path, will I be able to? I don't want to capture months worth of summary events just to find out I can't generate the report I want later on.

(I'm creating some fake summary events for the next few days so I can run some sample reports to see what I can do. I just thought you guys might have a good answer that we could have here for others to refer to later.)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-24-2012 11:10 PM

Yes, you could aggregate it even further later on. When you grab data from the summary index for performing stats on it, just omit the fields you want to split by.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-24-2012 11:10 PM

Yes, you could aggregate it even further later on. When you grab data from the summary index for performing stats on it, just omit the fields you want to split by.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...