We have a saved-search that retrieves data from an existing summary index. It is of the following form:
index=summary s_name=blah | stats count as inner_count by field1 field2 _time | bucket span=1mon _time | sistats sum(inner_count) as outer_count by field1 field2 _time
The above search is saved with a marker:
s_name=blah2. When I try to retrieve this in a dashboard using the following query, the outer_count always shows up as 0.
index=summary s_name=blah2 | stats sum(inner_count) as outer_count by field1 field2 _time
Any help is appreciated.
sistats command on your summary indexing search should not output a field called "inner_count".
Which you should be able to confirm with the search:
index=summary s_name=blah2 inner_count=*
(I'm not 100% sure what this looks like with the
sistats, I normally prefer
stats and simply avoid any of the complex stuff that
sistats handles that
stats does not. So I could be wrong about that search.)
What I do not full understand is how your second search
sum(inner_count) give a value of 0. If
inner_count is missing completely, you should get a "missing field" error in your search.
Never mind, I just figured out that
sistats seems to just pretty much ignore field renaming using "as"; so "inner_count" is probably the field name that is saved in the summary index and not "outer_count".
Out of curiosity, if you take the secondary summary index out of the equation, does it work?
index=summary s_name=blah | stats count as inner_count by field1 field2 _time | bucket span=1mon _time | sistats sum(inner_count) by field1 field2 _time | stats sum(inner_count) as outer_count by field1 field2 _time
When I run the following search:
index=summary report=blah2 | stats sum(inner_count) by field1 field2 _time, i do see "mon_count" being displayed as a "field" under the "Other interesting fields" section. However when I try to use it in the
stats command it doesn't work.
I'm not familiar with the "mon_*" prefixed fields, but then again I don't know all that much about how the
si search commands summarized your fields either, so this could be normal. Well, at least you've been able to prove that it's not a summary indexing problem, it's something in your combination of
sistats ... | stats ..., or it's a bug.
Sorry. I meant to say "outercount". The `outercount
field gets displayed in the "Other interesting fields" section.outer_count` is defined in the summary index query (in the question above).