Hi,
This is a carry-on question from a previous post. https://answers.splunk.com/answers/439628/scheduling-multiple-searches.html
I have a few more searches that need to be embedded in other SI's. These searches are:
Top 20 sourcetypes
| tstats count where index=test* groupby sourcetype, _time | sitimechart sum(count) as count by sourcetype
Count of sourcetypes
| tstats dc(sourcetype) as sourcetypes WHERE index=test* earliest=-15m@m latest=-5m@m by _time span=10m
Count of hosts
| tstats dc(host) as Hosts WHERE index=test* earliest=-15m@m latest=-5m@m by _time span=10m
License usage
index=_internal source=license_usage.log type=Usage pool= idx=test* earliest=-15m@m latest=-5m@m | sitimechart span=10m sum(b) as Bytes
All of these searches need to be able to fill a SI, which then populates a further 3 SI's..(reading the link will clarify what I need to do) Any help would be appreciated!!
Thanks !
Solved this by renaming my fields - IE not using count, also not using si.
You can actually setup the same way as suggested in the previous post. (Setup your first SI with your current search. Your subsequent search should use the results from the SI previous SI)
Still no joy with this :
-Data gets to the first SI fine - and I can report on it
-Trying to populate the second SI from the 1st one returns no useable data in the 2nd. Using any of the searches above.
-My thoughts are that it has something to do with _raw changing once in the first SI, which then stops the normal searches from populating the 2nd si and so on.
I tried that, I can get it to work for everything that isnt using a timechart count after the initial si command.. It doesnt count the count after the 1st summary index.. Everything using sitimechart first, then timechart..
Since the timechart changes the column names with actual values, I would not use the timechart on the SI searches (for searches where column names can vary). I would probably just keep it with stats command in all SI and will use timechart in actual dashboard/reports using the data. Could you provide an example of SI search which is not working (and how it's not working)?
Thanks - yeah thats exactly whats causing the problem(column names) - ill create the other SI's with stats and then just use timechart in my dashboard. This is one of the searches not working:
| tstats count where index=test* groupby sourcetype, _time | sitimechart sum(count) as count by sourcetype
And it looks like its not including the count because the columns are changing..Ill try it with stats and get back to you! Thanks for the help..
No joy.. Still getting the same issue with the above search.. It just doesnt count, perhaps ill use a different search to populate the first SI.
You could set up a scheduled search for every 3 seconds to populate your second SI but you will have some latency issues. I'd also recommend using the dedup
argument because you will defiantly have some overlap
Out of curiosity, why are you summarizing the data in a secondary summary index?
Thanks for the reply.. Its not the scheduling im having issues with, its the initial searches, they arent populating the 2nd, 3rd, 4th SI's correctly.. I suspect the syntax for the initial populating search is incorrect. Could you advise on any different syntax?
I have no idea why summarizing in 4 Si's, I suspect its to test their environment(client requirement, not personal choice)