Knowledge Management

rolling dc over a summary index

vbumgarn
Path Finder

I'm trying to build a running distinct count against a summary index. I came up with a solution, but it seems a little bit hackish. I'm hoping someone has a better way.

The summary query is like so, running hourly:

host=*foo* status=200 authenticate POST email | sistats dc(email)

I was hoping to simply do this, but it doesn't work:

index=summary ... | streamstats dc(email) as dc24 window=24  | timechart span=1h max(dc24)

Adding an interim stats values() makes it work (I think), but it seems awful:

index=summary ... | stats values(email) as emails by _time | streamstats dc(emails) as dc24 window=24  | timechart span=1h max(dc24) dc(emails)

Anyone have a better way to meld summary dc and streamstats?

0 Karma

lguinn2
Legend

If you look at what is actually stored in the summary index, you will get some hints about what will/won't work. I don't know that I understand the question properly, but here is an idea

Use the following for the "populating search" or "summary query"

host=*foo* status=200 authenticate POST email | sistats count by email

Then see what you get. And I might have more suggestions if I really knew what you want - the email with the most events from the last 24 hours? Is "email" actually the name of a field? I assume so in the search above...

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...