rolling dc over a summary index

vbumgarn · ‎01-03-2012

I'm trying to build a running distinct count against a summary index. I came up with a solution, but it seems a little bit hackish. I'm hoping someone has a better way.

The summary query is like so, running hourly:

host=*foo* status=200 authenticate POST email | sistats dc(email)

I was hoping to simply do this, but it doesn't work:

index=summary ... | streamstats dc(email) as dc24 window=24  | timechart span=1h max(dc24)

Adding an interim stats values() makes it work (I think), but it seems awful:

index=summary ... | stats values(email) as emails by _time | streamstats dc(emails) as dc24 window=24  | timechart span=1h max(dc24) dc(emails)

Anyone have a better way to meld summary dc and streamstats?

lguinn2 · ‎01-03-2012

If you look at what is actually stored in the summary index, you will get some hints about what will/won't work. I don't know that I understand the question properly, but here is an idea

Use the following for the "populating search" or "summary query"

host=*foo* status=200 authenticate POST email | sistats count by email

Then see what you get. And I might have more suggestions if I really knew what you want - the email with the most events from the last 24 hours? Is "email" actually the name of a field? I assume so in the search above...

rolling dc over a summary index

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024