Knowledge Management
Highlighted

Summary collection of summary indexed data

Path Finder

Hi

We have a saved-search that retrieves data from an existing summary index. It is of the following form:

index=summary s_name=blah | stats count as inner_count by field1 field2 _time | 
bucket span=1mon _time | sistats sum(inner_count) as outer_count by field1 field2 _time

The above search is saved with a marker: s_name=blah2. When I try to retrieve this in a dashboard using the following query, the outer_count always shows up as 0.

index=summary s_name=blah2 | stats sum(inner_count) as outer_count by field1 field2 _time

Any help is appreciated.

Ranga

0 Karma
Highlighted

Re: Summary collection of summary indexed data

Super Champion

Your final sistats command on your summary indexing search should not output a field called "inner_count".

Which you should be able to confirm with the search:

index=summary s_name=blah2 inner_count=*

(I'm not 100% sure what this looks like with the sistats, I normally prefer stats and simply avoid any of the complex stuff that sistats handles that stats does not. So I could be wrong about that search.)

What I do not full understand is how your second search sum(inner_count) give a value of 0. If inner_count is missing completely, you should get a "missing field" error in your search.


Update:

Never mind, I just figured out that sistats seems to just pretty much ignore field renaming using "as"; so "inner_count" is probably the field name that is saved in the summary index and not "outer_count".

Out of curiosity, if you take the secondary summary index out of the equation, does it work?

index=summary s_name=blah | stats count as inner_count by field1 field2 _time | bucket span=1mon _time | sistats sum(inner_count) by field1 field2 _time | stats sum(inner_count) as outer_count by field1 field2 _time
0 Karma
Highlighted

Re: Summary collection of summary indexed data

Path Finder

Thanks. If sistats ignores field renaming, my first summary-indexed query would also not function right?

0 Karma
Highlighted

Re: Summary collection of summary indexed data

Path Finder

When I run the following search: index=summary report=blah2 | stats sum(inner_count) by field1 field2 _time, i do see "mon_count" being displayed as a "field" under the "Other interesting fields" section. However when I try to use it in the stats command it doesn't work.

0 Karma
Highlighted

Re: Summary collection of summary indexed data

Super Champion

I'm not familiar with the "mon_*" prefixed fields, but then again I don't know all that much about how the si search commands summarized your fields either, so this could be normal. Well, at least you've been able to prove that it's not a summary indexing problem, it's something in your combination of sistats ... | stats ..., or it's a bug.

0 Karma
Highlighted

Re: Summary collection of summary indexed data

Path Finder

Sorry. I meant to say "outercount". The `outercountfield gets displayed in the "Other interesting fields" section.outer_count` is defined in the summary index query (in the question above).

0 Karma