Summary index for rolling 30d count not working as...

craigcook · ‎08-02-2013

I've just started using summary indexes - I have two searches that work as expected on querying data in just the previous day.

I also what a job that queries our unique users over the previous 30 days

Here is my summary query:

event=login 
| sistats dc(user_id)

In the UI for Time range I have: from: -30d@d to: @d

and this runs every day at midnight

What I think this does:

query the login events
count the distinct ids for the previous 30 days

store them in a summary index using sistats

My retrieval query is:

event=login 
| stats dc(user_id) by _time

What I expect this to do:

return the summarized 30 day distinct count day over day

What I get:
the summarized value for 30 days : SUCCESS!

the timestamp for the count is 30 days ago and not the date of the summary run

Can someone point me to what I am doing wrong? I don't understand why the timestamp is 30 days ago and not the date of the scheduled run

craigcook · ‎08-04-2013

I found the following thread:

sistats vs stats

I will try this approach and see if it works better. Ultimately I was building two indexes one for daily and one for 30 days, but this link suggests to use the same index as data for both.

Summary index for rolling 30d count not working as expected

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation