Summary index for rolling 30d count not working as...

craigcook · ‎08-02-2013

I've just started using summary indexes - I have two searches that work as expected on querying data in just the previous day.

I also what a job that queries our unique users over the previous 30 days

Here is my summary query:

event=login 
| sistats dc(user_id)

In the UI for Time range I have: from: -30d@d to: @d

and this runs every day at midnight

What I think this does:

query the login events
count the distinct ids for the previous 30 days

store them in a summary index using sistats

My retrieval query is:

event=login 
| stats dc(user_id) by _time

What I expect this to do:

return the summarized 30 day distinct count day over day

What I get:
the summarized value for 30 days : SUCCESS!

the timestamp for the count is 30 days ago and not the date of the summary run

Can someone point me to what I am doing wrong? I don't understand why the timestamp is 30 days ago and not the date of the scheduled run

craigcook · ‎08-04-2013

I found the following thread:

sistats vs stats

I will try this approach and see if it works better. Ultimately I was building two indexes one for daily and one for 30 days, but this link suggests to use the same index as data for both.

Summary index for rolling 30d count not working as expected

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?