Solved: How to create a more efficient sitimechart for dis...

pr0n · ‎01-16-2020

When using index=blah | sitimechart dc(field1) by field2 It saves every single element for field1 concatenated into a new field called psrsvd_vm_field1. For me this makes for an insanely inefficient summary index with millions and millions of useless entries in the psrsvd_vm_field1 field. How can I streamline this so that it doesn't store all that information and have to sort through it every time I chart the summarized data.

DavidHourani · ‎01-16-2020

Hi @pr0n,

If you're just looking to store the distinct count without the detailed multi-value, then all you have to do is save a timechart into a summary index using | collect instead of using sitimechart.

Cheers,
David

View solution in original post

DavidHourani · ‎01-16-2020

Hi @pr0n,

If you're just looking to store the distinct count without the detailed multi-value, then all you have to do is save a timechart into a summary index using | collect instead of using sitimechart.

Cheers,
David

pr0n · ‎01-16-2020

How do I timechart the summary? My understanding is I need sitimechart to prepare data for proper timechart once it's summarized.

DavidHourani · ‎01-16-2020

Well it depends on what you're trying to achieve, because if you need to be able to run a dc over any time span then you will need that inefficient mv field. But if you're only interested in keeping a specific time interval in your summary then going for the results of a timechart would do the trick for you.
It'll only save _time and dc value instead of saving _time, dcand all values.

How to create a more efficient sitimechart for distinct count?

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?