Knowledge Management

Using Summary Index Data


I have some summary index data that is stored with sistats:

index="_internal" group="per_host_thruput" source=*metrics.log | eval megs=kb/1024 | fields series,kb,megs | sistats sum(megs) by series

I'd like to do a delta on some of this data but I'm not quite sure which events/fields I should use since sistats does some massaging of the data.

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as delta_megs

This will get the delta info that I need, but

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as del | stats max(del) by series

Returns nothing. Any thoughts?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

When using a summary index created using the "si*" sufficient statistic accelerators, the only supported operation on the data after retrieval is the corresponding full reporting command. That means, for sistats <aggregator>, you can only run index=summary source=... | stats <aggregator>. The same holds true for sitimechart, sitop and sichart.

The "si*" command output is an internal opaque format that is interpreted in a special manner by commands within splunk.

What's the goal report that you want here?


Thanks for posting this - I was doing | sistats count by host, source, sourcetype, field1, field2 and able to find host, sourcetype and source as having the orig_ rename, but couldn't get the count (in the psrsvd_gc field) to play nicely. It constantly said it was an "internal variable". I'll just use index="summary" | stats count by orig_host, orig_source, orig_sourcetype, field1, field2. I'll repost this as a question too.

0 Karma


I am trying to create a report that notifies me when a host starts sending an unusual amount of data by using the summary index data. I suppose I could just use the metrics data as is

0 Karma
Get Updates on the Splunk Community!

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...