Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Confused with the usage of si-commands

szabados
Communicator
‎10-11-2016 01:38 AM

I'm trying to dig deeper into summary indexing, but at this point I feel a bit confused.
What I did so far is:
- created an index to use for summaries (to not to use the built in summary)
- stored some of my search results with collect: | collect index=my_summary_index sourcetype=my_summary_sourcetype

I was looking at the si-commands, sistats in the first place.
What I don't get is, how do I store the results from sistats in a summary index?

Do I have to add collect to after sistats, or I can't use it in an inline search, and I have to schedule it and enable summary indexing for the report?

0 Karma
Reply

rjthibod
Champion
‎10-11-2016 04:20 AM

You don't have to do anything with si- commands if you don't want. The collect method you used is fine as long as you have defined the summary sourcetype. The use of si- commnands comes down to your specific use case and the type of summary data you are using.

The collect command is taking care of writing to the summary index, and it just writes whatever you tell it to write.

The si- commands are special commands that prepare data before writing the data to a summary index or in global searches when doing post-processing searches

There is nothing that says you have to use the si- commands before writing to a summary index - it is only a suggested method for certain cases.

I do exactly what you did in my certified app.

Reply

szabados
Communicator
‎10-11-2016 04:30 AM

So let me put it this way:
This time, I would like to use si-commands, I just don't get, what is the recommended way to route the output from the sistats or similar commands to an arbitrary summary index.

0 Karma
Reply

rjthibod
Champion
‎10-11-2016 04:54 AM

If you are using the savedsearch interface/settings manager, you would create your search with the desired si- command at the end, and then you would enable summary indexing in the saved search UI settings. You would not use collect anywhere in your SPL search.

You can see the summary indexing options in the savedsearches.conf file spec here http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf. At a minimum, you would need to add the following to your local savedsearches.conf. You can do this in the savedsearch UI if you don't want to edit the config files.

action.summary_index = 1
action.summary_index._name=my_summary_index

0 Karma
Reply

szabados
Communicator
‎10-11-2016 07:48 AM

And is there a way, to store the output of sistats with an ad hoc search? As I did with using collect at the end of my search on the gui?

0 Karma
Reply

rjthibod
Champion
‎10-11-2016 08:09 AM

The savedsearch settings take care of storing the data in the summary index.

So if you create a savedsearch that looks like index=foo ... | ... | sistats sum(bar) by host

And you turn on the settings in the savedsearch from the earlier comment, Splunk will automatically write the output of the sistats command to the summary index you specify in the settings.

Basically, you do not need collect if you turn on the savedsearch settings to tell it to write to the summary index.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...