Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Summary Indexing and Sort Orders

Kyle_Brandt
Path Finder
‎03-01-2011 09:43 PM

I am somewhat confused on how to set up my searches to populate my summary index. For example, two of the reports will have similar data but different sort orders:

starthoursago="2" endhoursago="1" eventtype="HAProxy Web Logs" | sistats count, sum(HTTP_HAPROXY_BYTES_SENT) by HTTP_CLIENT_IP | sort by count desc | head 2000

vs

starthoursago="2" endhoursago="1" eventtype="HAProxy Web Logs" | sistats count, sum(HTTP_HAPROXY_BYTES_SENT) by HTTP_CLIENT_IP | sort by sum(HTTP_HAPROXY_BYTES_SENT) | head 2000

Should I somehow be combing these two searches and then running the sorts from search against the summary index?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-02-2011 12:41 AM

Yes. There is not much point in sorting the summarized data. You should sort when you retrieve the data from the summary. Summarization is not for saving a report, but rather for saving data.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...