Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Summary Index Data

oreoshake
Communicator
‎07-01-2010 06:35 PM

I have some summary index data that is stored with sistats:

index="_internal" group="per_host_thruput" source=*metrics.log | eval megs=kb/1024 | fields series,kb,megs | sistats sum(megs) by series

I'd like to do a delta on some of this data but I'm not quite sure which events/fields I should use since sistats does some massaging of the data.

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as delta_megs

This will get the delta info that I need, but 

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as del | stats max(del) by series

Returns nothing. Any thoughts?

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-02-2010 05:03 PM

When using a summary index created using the "si*" sufficient statistic accelerators, the only supported operation on the data after retrieval is the corresponding full reporting command. That means, for sistats <aggregator>, you can only run index=summary source=... | stats <aggregator>. The same holds true for sitimechart, sitop and sichart.

The "si*" command output is an internal opaque format that is interpreted in a special manner by commands within splunk.

What's the goal report that you want here?

Reply

Jason
Motivator
‎09-16-2010 02:56 AM

Thanks for posting this - I was doing | sistats count by host, source, sourcetype, field1, field2 and able to find host, sourcetype and source as having the orig_ rename, but couldn't get the count (in the psrsvd_gc field) to play nicely. It constantly said it was an "internal variable". I'll just use index="summary" | stats count by orig_host, orig_source, orig_sourcetype, field1, field2. I'll repost this as a question too. http://answers.splunk.com/questions/6887/

0 Karma
Reply

oreoshake
Communicator
‎07-06-2010 06:12 PM

I am trying to create a report that notifies me when a host starts sending an unusual amount of data by using the summary index data. I suppose I could just use the metrics data as is

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...