Knowledge Management

Summary Index sistats not working with xyseries

ravimishrabglr
Explorer

I have Two Questions:

1st Questions: Below is the query to generate stats that I want to push into Summary Index:

index="myIndex" host="myHost" source="/var/logs/events.log" sourcetype="ss:vv:events" (MTHD="POST" OR MTHD="GET")
| rex field=U "(?P[^\/]+)(\/([a-z0-9]{32})|$)"
| search (ApiName=abc OR ApiName=xyz)
| dedup CR,RE
| stats count as TotalReq by ApiName, Status
| xyseries ApiName Status, TotalReq
| addtotals labelfield=ApiName col=t label="ColTotals" fieldname="RowTotals"

It gives me perfect result as:

ApiName | 200 | 400 | 404 | 500 | RowTotals
abc | 12 | 2 | 4 | 1 | 19
xyz | 10 | 3 | 2 | 2 | 17
ColTotals | 22 | 5 | 6 | 3 | 36

But when I am changing stats to sistats to push into Summary Index, it is not producing any result, please help me with the query.

2nd Question: I already have a Summary Index available and one stats report with different query is already been pushed everyday, which I have annotated using Add Fields option in Edit Summary Index window as report = firstReport, now can I push another (above) report into same Summary Index with different annotation as report = secondReport? will it work or I have to create another Summary Index for this report also, Please help.

Labels (1)
0 Karma

woodcock
Esteemed Legend

I see little reason to use sistats most of the time because prestats formatted data is difficult to read and near-impossible to debug; therefore I have never used it. Instead, I always use stats. This just means that when you leverage the summary index data, you have to know what you are doing and do it correctly, which is the case with normal events and SPL so you already have the skills that you need. So I suggest that you do it according to this document:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configuresummaryindexes#Manually_confi...

As far as using multiple populating searches to dump into a single summary index, you should make that decision the same way that you would deciding whether to put multiple sourcetypes into a regular events index. Just make sure that you use a different report_name value (which is the equivalent of sourcetype when doing summary index because all data in a summary index has a sourcetype value of stash).

0 Karma

ololdach
Builder

Hi,

sistats creates the summary index and doesn't output anything. It is an alternative to the collect suggested above. To report from the summaries, you need to use a stats. I have copied this from the documentation of the sistats command:

Create a summary index with the statistics about the average, for each hour, of any unique field that ends with the string "lay". For example, delay, xdelay, relay, etc.

 ... | sistats avg(*lay) BY date_hour

To create a report, run a search against the summary index using this search

index=summary | stats avg(*lay) BY date_hour

Hope it helps
Oliver

0 Karma

ravimishrabglr
Explorer

@ololdach Thanks for the answer, but i know that. my problem was when i was using sistats in above query, it was producing no data to push into summary index, but it should produce data with additional info columns prefixed with psrsvd, when you run query with sistats it gives output and that output is kept in summary index so that we can query later.

0 Karma

to4kawa
Ultra Champion

1st: | collect index=your_summary
2nd: related your search
|eval report="firstReport" | collect index=your_summary
OR |eval report="secondReport" | collect index=your_summary

0 Karma

ravimishrabglr
Explorer

@to4kawa 1st worked, able to push data in summary index. but while fetching it is not aggregating result. it is returning 2 time same api name and counts in 2 days search. running collect query daily in a scheduled report.

0 Karma

to4kawa
Ultra Champion

2nd answer |eval report="secondReport" is to next search.

next search example:
`index=your_summary report="secondReport" you_want

0 Karma

ravimishrabglr
Explorer

Thanks @to4kawa It worked but I ran into another strange problem, here is my query-

index="myIndex" host="myHost" source="/var/logs/events.log" sourcetype="ss:vv:events" (MTHD="POST" OR MTHD="GET")
| rex field=U "(?P[^\/]+)(\/([a-zA-Z0-9]{32})|$)"
| where ApiName IN ("abc", "xyz")
| dedup CR,RE
| stats count as TotalReq by ApiName, Status
| xyseries ApiName Status, TotalReq

Now when I am using IN command in above query like this:
| where ApiName IN ("abc") produce 10 events and
| where ApiName IN ("xyz") produce 20 events but when using both ApiName together
| where ApiName IN ("abc", "xyz") produce 25 events only, it should produce 30 right? where are 5 events?

Please help me how to fix this problem. Plus CCing wonderful people who already helped me in other question: @richgalloway @gf13579 @vnravikumar

0 Karma

to4kawa
Ultra Champion
index="myIndex" host="myHost" source="/var/logs/events.log" sourcetype="ss:vv:events" (MTHD="POST" OR MTHD="GET")
| rex field=U "(?P<ApiName>[^\/]+)(\/([a-zA-Z0-9]{32})|$)"
| stats count by ApiName

Check count and provide them here

0 Karma

ravimishrabglr
Explorer

In above, i provided count (10, 20) just for example, but below are real the count from old query and the new query that you provided.
ApiName | oldQuery | newQuery
abc | 8258875 | 21781751
xyz | 74371 | 2283504

0 Karma

to4kawa
Ultra Champion

I don't know your oldQuery and newQuery.

your question is Summary Index sistats not working with xyseries
Do you resolve this?

If you have other issues, you should ask with another question

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...