Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I have summary data in the logs from a custom application, I would like to further aggregate my data an make it compatible with sistats output

bmorgan
Explorer
‎06-22-2010 09:26 PM

I need to take already summarized data in the logs, aggregate it from a large group of servers, and build an si-type index. Looking at si-generated data from sistas fields, I have deduced the following meanings but need further clarification

psrsvd_ct_FIELDNAME = count
psrsvd_nc_FIELDNAME = Also Count?
psrsvd_sm_FIELDNAME = sum
psrsvd_ss_FIELDNAME = sum of squars
psrsvd_vt_cnt = ?? some kind of variance ??

So is ct = count, what is nc really for, what formula do you use for SS (does it include std-dev or is it a simple sum of squares), and what is vt?

Thanks,
Blaine

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎06-23-2010 02:33 AM

nc = numerical count (number of values for this field that can be interpreted as numbers), e.g. computing the average would be sum/nc

ss is just simple sum of squares, i.e. X1*X1 + X2*X2 + X3*X3

vt is actually originally stood for "valuetype", but what we store in it is actually just the maximum precision of the numerical values of the field. This is so that if you average together a bunch of values like 9.5,10.5,11.5, you get 10.5 and not 10.500000 or 11

View solution in original post

Reply
Solved! Jump to solution

joy76
Path Finder
‎05-06-2013 07:32 PM

Hi, I am just catching up on you your answers followed by comments...
What does "psrsvd" as in psrsvd_* stand for here ?

0 Karma
Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎06-23-2010 02:33 AM

nc = numerical count (number of values for this field that can be interpreted as numbers), e.g. computing the average would be sum/nc

ss is just simple sum of squares, i.e. X1*X1 + X2*X2 + X3*X3

vt is actually originally stood for "valuetype", but what we store in it is actually just the maximum precision of the numerical values of the field. This is so that if you average together a bunch of values like 9.5,10.5,11.5, you get 10.5 and not 10.500000 or 11

Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎06-29-2010 10:52 PM

nc is numerical count, i.e. the number of values that can be entirely as numbers, where as ct is the total count.

I.e. if your field had the following values:

0,foo,1,bar

ct=4 and nc=2

0 Karma
Reply
Solved! Jump to solution

bmorgan
Explorer
‎06-24-2010 04:35 PM

is there a difference between ct and nc

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...