distinct count not working on summary index (sista...

loganramirez · ‎06-13-2024

Splunk Enterprise 9.0.6 and building a summary index of sourcenumbers (count) and distinct destinations called (dc(destinationnumber))

When i run this:

...
| stats count dc(destinationnumber) by sourcenumber

I get something like

sourcenumber,count,dc(destinationnumber)
+15551234567,10,8

indicating it called 10 times to 8 different numbers.
adsf
perfect.

But with this:

...
| sistats count dc(destinationnumber) by sourcenumber

i get:

psrsvd_ct_destinationnumber,psrsvd_gc,psrsvd_v, psrsvd_vm_destinationnumber
10,10,1,+19991234567;2,+18881234567;2,+17771234567;1,+15551234567;1 (etc)

Found no clear help in the sistats page and other posts like this one it seems to work (though older posts and not using count)

Best guess is that vm column 'preserves' the details, but idk why dc() isn't working like I expect.

pashfw · ‎06-13-2024

sounds like it's by design
https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-with...
for fill_summary_index.py, described here https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Managesummaryindexgapsandoverlaps

distinct count not working on summary index (sistats)

stats

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake