Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Summary Index Data

oreoshake
Communicator
‎07-01-2010 06:35 PM

I have some summary index data that is stored with sistats:

index="_internal" group="per_host_thruput" source=*metrics.log | eval megs=kb/1024 | fields series,kb,megs | sistats sum(megs) by series

I'd like to do a delta on some of this data but I'm not quite sure which events/fields I should use since sistats does some massaging of the data.

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as delta_megs

This will get the delta info that I need, but 

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as del | stats max(del) by series

Returns nothing. Any thoughts?

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-02-2010 05:03 PM

When using a summary index created using the "si*" sufficient statistic accelerators, the only supported operation on the data after retrieval is the corresponding full reporting command. That means, for sistats <aggregator>, you can only run index=summary source=... | stats <aggregator>. The same holds true for sitimechart, sitop and sichart.

The "si*" command output is an internal opaque format that is interpreted in a special manner by commands within splunk.

What's the goal report that you want here?

Reply

Jason
Motivator
‎09-16-2010 02:56 AM

Thanks for posting this - I was doing | sistats count by host, source, sourcetype, field1, field2 and able to find host, sourcetype and source as having the orig_ rename, but couldn't get the count (in the psrsvd_gc field) to play nicely. It constantly said it was an "internal variable". I'll just use index="summary" | stats count by orig_host, orig_source, orig_sourcetype, field1, field2. I'll repost this as a question too. http://answers.splunk.com/questions/6887/

0 Karma
Reply

oreoshake
Communicator
‎07-06-2010 06:12 PM

I am trying to create a report that notifies me when a host starts sending an unusual amount of data by using the summary index data. I suppose I could just use the metrics data as is

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...