Summary Index sistats not working with xyseries

ravimishrabglr · ‎03-03-2020

I have Two Questions:

1st Questions: Below is the query to generate stats that I want to push into Summary Index:

index="myIndex" host="myHost" source="/var/logs/events.log" sourcetype="ss:vv:events" (MTHD="POST" OR MTHD="GET")
| rex field=U "(?P[^\/]+)(\/([a-z0-9]{32})|$)"
| search (ApiName=abc OR ApiName=xyz)
| dedup CR,RE
| stats count as TotalReq by ApiName, Status
| xyseries ApiName Status, TotalReq
| addtotals labelfield=ApiName col=t label="ColTotals" fieldname="RowTotals"

It gives me perfect result as:

ApiName | 200 | 400 | 404 | 500 | RowTotals
abc | 12 | 2 | 4 | 1 | 19
xyz | 10 | 3 | 2 | 2 | 17
ColTotals | 22 | 5 | 6 | 3 | 36

But when I am changing stats to sistats to push into Summary Index, it is not producing any result, please help me with the query.

2nd Question: I already have a Summary Index available and one stats report with different query is already been pushed everyday, which I have annotated using Add Fields option in Edit Summary Index window as report = firstReport, now can I push another (above) report into same Summary Index with different annotation as report = secondReport? will it work or I have to create another Summary Index for this report also, Please help.

summary indexing

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!