Knowledge Management

Using Summary Index Data


I have some summary index data that is stored with sistats:

index="_internal" group="per_host_thruput" source=*metrics.log | eval megs=kb/1024 | fields series,kb,megs | sistats sum(megs) by series

I'd like to do a delta on some of this data but I'm not quite sure which events/fields I should use since sistats does some massaging of the data.

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as delta_megs

This will get the delta info that I need, but

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as del | stats max(del) by series

Returns nothing. Any thoughts?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

When using a summary index created using the "si*" sufficient statistic accelerators, the only supported operation on the data after retrieval is the corresponding full reporting command. That means, for sistats <aggregator>, you can only run index=summary source=... | stats <aggregator>. The same holds true for sitimechart, sitop and sichart.

The "si*" command output is an internal opaque format that is interpreted in a special manner by commands within splunk.

What's the goal report that you want here?


Thanks for posting this - I was doing | sistats count by host, source, sourcetype, field1, field2 and able to find host, sourcetype and source as having the orig_ rename, but couldn't get the count (in the psrsvd_gc field) to play nicely. It constantly said it was an "internal variable". I'll just use index="summary" | stats count by orig_host, orig_source, orig_sourcetype, field1, field2. I'll repost this as a question too.

0 Karma


I am trying to create a report that notifies me when a host starts sending an unusual amount of data by using the summary index data. I suppose I could just use the metrics data as is

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...