Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using Summary Index Data

oreoshake
Communicator
‎07-01-2010 06:35 PM

I have some summary index data that is stored with sistats:

index="_internal" group="per_host_thruput" source=*metrics.log | eval megs=kb/1024 | fields series,kb,megs | sistats sum(megs) by series

I'd like to do a delta on some of this data but I'm not quite sure which events/fields I should use since sistats does some massaging of the data.

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as delta_megs

This will get the delta info that I need, but 

index=summary prestats_reserved_type=sum | delta prestats_reserved_val as del | stats max(del) by series

Returns nothing. Any thoughts?

Tags (1)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-02-2010 05:03 PM

When using a summary index created using the "si*" sufficient statistic accelerators, the only supported operation on the data after retrieval is the corresponding full reporting command. That means, for sistats <aggregator>, you can only run index=summary source=... | stats <aggregator>. The same holds true for sitimechart, sitop and sichart.

The "si*" command output is an internal opaque format that is interpreted in a special manner by commands within splunk.

What's the goal report that you want here?

Reply

Jason
Motivator
‎09-16-2010 02:56 AM

Thanks for posting this - I was doing | sistats count by host, source, sourcetype, field1, field2 and able to find host, sourcetype and source as having the orig_ rename, but couldn't get the count (in the psrsvd_gc field) to play nicely. It constantly said it was an "internal variable". I'll just use index="summary" | stats count by orig_host, orig_source, orig_sourcetype, field1, field2. I'll repost this as a question too. http://answers.splunk.com/questions/6887/

0 Karma
Reply

oreoshake
Communicator
‎07-06-2010 06:12 PM

I am trying to create a report that notifies me when a host starts sending an unusual amount of data by using the summary index data. I suppose I could just use the metrics data as is

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...