Knowledge Management

summary index issue

karche
Path Finder

I have created a summary index, from the following query (i called it base query), and the summary index configured to run every 15min, time range is -17 to -2 mins.

source= | sistats avg(response_time) count by source, server_name, status_code, application

When i compare the result between the summary index and the base query in the same period, like yesterday with\without the 15 mins windows adjustment. There is a huge difference in the results, it does not matter count by source, server_name, status_code or application by itself.

source= | stats count by source
vs
index=summary search_name="summary_web_sistats" | stats count by source

What i did wrong here? Does anyone have the same issue using summary index?

Thanks in advance

Tags (1)
0 Karma

Takajian
Builder

I have never faced the same issue, but I sometimes see similar issue in my labo. As for my case, timestamp of indexed log was not correct or splunk took time to index the data due to some reasons. I am not sure if these factor is related to your case. But if timestamp of log or indexing time is not accurate, this affect summary index results.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...