So right now I have a summary index that is being populated by the following command:
earliest=-20m latest=-5m | bucket _time span=5m | sistats count by _time host sourcetype index
The idea is that I'd like to have a record of how many new events were added for each host/sourcetype/index in five minute increments. I'm running that every 15 minutes, using the time window specified (going back -20/-5 in case anything is a little slow to be indexed - I care more about the time the event was generated than when it made it into the index in this case). I'd like to be able to take this data and do a number of different things with it, and I'm wondering what's doable and what isn't:
I'd like to be able to sum counts together using the stored values in the summary index to give me a count of events for each host, or sourcetype, or index, over various spans of time. So I'd like to be able to say, using that stored data, tell me how many events were generated for each sourcetype for the last week. Or each index, or each host, etc. Is this doable using the way I'm storing the data above?
I'd like the ability to timechart against the stored summarized data, too. So I'd like to be able to create a timechart showing me counts per sourcetype over time (or index, or host, etc.). Is this doable given how the data is being stored above, especially since I'm not using sitimechart to store it?
The main reason I'm asking is I don't have the best grasp of what is doable and what is not via the sistats/sitimechart/etc. commands, and the best way of populating summary indexes that will give me the flexibility I need when it comes time to report on that data.