Dear Splunk gurus,

I am trying to use Summary Indexing to improve reporting times for a Print Analytics dashboard. To this end, I am "upgrading" a search for Summary Indexing, but I've got stuck on a simple problem with the stats sum command. Here is the story so far:

My original search was:

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | stats sum(pgs)

This examines the Windows system event log for print events, then performs a regex looking for a decimal number of pages and returns this as a value called "pgs", finally it totals the number of pages. If I run this for the period "yesterday" I get a value of 15247 pages printed. All good so far.

Now modifying that search, replacing the stats command with summary index friendly sistats command I get:

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | sistats sum(pgs)

I immediately observed that I am getting much more returned that my page count sum. The search returns the following dataset:

psrsvd_ct_pgs 4018  
psrsvd_gc 4692  
psrsvd_nc_pgs 4018  
psrsvd_sm_pgs 15247 
psrsvd_ss_pgs 672921    
psrsvd_v 1
psrsvd_vt_pgs 0

I am annoyed that these returns are not documented. By inspection I can see that the value I require is "psrsvd_sm_pgs 15247", which is a numeric. I also note that "psrsvd_gc 4692" is the total number of events examined. I have no idea what the other fields mean.

Anyway, ignoring the other numbers, I created a saved search as per the Splunk documentation instructions Usesummaryindexing. I add the field report="Summary_total_pages_printed_yesterday" to my search, so I can extract it from the Summary index just fine. This I am pleased to report, works as I expect it to.

My saved search executes at midnight and I can get the results returned just fine by running:

index="summary" report="Summary_total_pages_printed_yesterday" 

on the time period of Yesterday. The dataset returned is this:

05/11/2011 00:00:00, search_name="Summary - total pages printed yesterday", search_now=1305154800.000, info_min_time=1305068400.000, info_max_time=1305154800.000, info_search_time=1305154963.926, psrsvd_ct_pgs=4018, psrsvd_gc=4692, psrsvd_nc_pgs=4018, psrsvd_sm_pgs=15247, psrsvd_ss_pgs=672921, psrsvd_v=1, psrsvd_vt_pgs=0, report="Summary_total_pages_printed_yesterday"

The problem arises when I try to run

 index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(psrsvd_sm_pgs)

on the time period of Yesterday, or last week, both of which returns no results. I am expecting a stats sum command to work on summary index information, like in search, but it is not.

Can anyone tell me what I am doing wrong?

Once I crack this, it's a simply thing to update my dashboard and run reports looking at a whole month.

I am using Splunk 4.2.1.

Thanks
Alex