Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Summary collection of summary indexed data

sranga
Path Finder
‎10-06-2010 10:42 PM

Hi

We have a saved-search that retrieves data from an existing summary index. It is of the following form: 

index=summary s_name=blah | stats count as inner_count by field1 field2 _time | 
bucket span=1mon _time | sistats sum(inner_count) as outer_count by field1 field2 _time

The above search is saved with a marker: s_name=blah2. When I try to retrieve this in a dashboard using the following query, the outer_count always shows up as 0. 

index=summary s_name=blah2 | stats sum(inner_count) as outer_count by field1 field2 _time

Any help is appreciated.

Ranga

0 Karma
Reply

Lowell
Super Champion
‎10-06-2010 11:28 PM

Your final sistats command on your summary indexing search should not output a field called "inner_count".

Which you should be able to confirm with the search:

index=summary s_name=blah2 inner_count=*

(I'm not 100% sure what this looks like with the sistats, I normally prefer stats and simply avoid any of the complex stuff that sistats handles that stats does not. So I could be wrong about that search.)

What I do not full understand is how your second search sum(inner_count) give a value of 0. If inner_count is missing completely, you should get a "missing field" error in your search.

Update:

Never mind, I just figured out that sistats seems to just pretty much ignore field renaming using "as"; so "inner_count" is probably the field name that is saved in the summary index and not "outer_count".

Out of curiosity, if you take the secondary summary index out of the equation, does it work?

index=summary s_name=blah | stats count as inner_count by field1 field2 _time | bucket span=1mon _time | sistats sum(inner_count) by field1 field2 _time | stats sum(inner_count) as outer_count by field1 field2 _time
0 Karma
Reply

sranga
Path Finder
‎10-08-2010 06:52 PM

Sorry. I meant to say "outer_count". The outer_count field gets displayed in the "Other interesting fields" section. outer_count is defined in the summary index query (in the question above).

0 Karma
Reply

Lowell
Super Champion
‎10-08-2010 06:09 PM

I'm not familiar with the "mon_*" prefixed fields, but then again I don't know all that much about how the si search commands summarized your fields either, so this could be normal. Well, at least you've been able to prove that it's not a summary indexing problem, it's something in your combination of sistats ... | stats ..., or it's a bug.

0 Karma
Reply

sranga
Path Finder
‎10-08-2010 06:00 PM

When I run the following search: index=summary report=blah2 | stats sum(inner_count) by field1 field2 _time, i do see "mon_count" being displayed as a "field" under the "Other interesting fields" section. However when I try to use it in the stats command it doesn't work.

0 Karma
Reply

sranga
Path Finder
‎10-07-2010 09:54 PM

Thanks. If sistats ignores field renaming, my first summary-indexed query would also not function right?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...