Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I sum summary data from sistats?

Jason
Motivator
‎09-16-2010 02:41 AM

So, I was running ... | sistats count by host, source, sourcetype, field1, field2 and saving it to a summary index.

Then, I wanted to use the summary data to give me lists of hosts, sourcetypes, and sources. No problem, I looked at the summary data and found they were all stored in orig_ variables. (This rewrite only happens with host, source, and sourcetype.)

The problem came when I wanted to create a sum of all "count"s done by the original sistats. It was in a field called psrsvd_gc, but I couldn't use it. It wouldn't play nice and kept saying it was an internal field, or field was not available.

How do I get the sum from summary index data?

Reply
1 Solution
Solved! Jump to solution
Solution

Jason
Motivator
‎09-16-2010 02:43 AM

You're thinking about it too hard. By using | sistats count by host, source, sourcetype before, just write a search that is index=summary ... | stats count by orig_host, orig_source, orig_sourcetype, field1, field2 and it will just work. The count will be there and you can sum it up from there.

(Remember host, source, and sourcetype are rewritten when summarized, so use the orig_ fields.)

View solution in original post

Reply
Solved! Jump to solution

jdunlea_splunk
Splunk Employee
Splunk Employee
‎08-26-2011 08:27 AM

I am having the same problem, but it is not with the metadata fields.

eg: SI Search: .... | sistats count by protocol, action, src_bestmatch

Search ON SI: ..... | stats sum(count) as count by protocol

But again, the "count" from the second search is not available?? What is the solution to this?

0 Karma
Reply
Solved! Jump to solution

peasead
Path Finder
‎04-16-2012 07:20 AM

I'm still confused.

I have this to count the number of web categories and how much data was used for each:
... | sistats count by webcategory,bytes

When I run the following to get the amount of data per category:
... | stats sum(bytes) by webcategory
There is nothing displayed for bytes.

When I run:
... | stats count by bytes
I get the count of how many times each bytes total was used but no web category correlation.

If I can't use:
... | stats sum(bytes) by webcategory
how do I know how many bytes were used for each category?

Should I be using:
... | sistats sum(bytes) by webcategory

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2011 09:43 AM

Again, you're thinking about it too hard. sistats is supposed to make it easy. If you've used sistats count by x to create the summary data, then you simply use stats count by x to get the results back, not stats sum(count) by x.

Reply
Solved! Jump to solution
Solution

Jason
Motivator
‎09-16-2010 02:43 AM

You're thinking about it too hard. By using | sistats count by host, source, sourcetype before, just write a search that is index=summary ... | stats count by orig_host, orig_source, orig_sourcetype, field1, field2 and it will just work. The count will be there and you can sum it up from there.

(Remember host, source, and sourcetype are rewritten when summarized, so use the orig_ fields.)

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...