Hi, I wrote a report that merge the result with lookup table to add fields (like machineName). the lookup table contain the field,source. then, I do sistats as the following: index=....search q...
...atest=@d| DEDUP errorCode | SISTATS count as ErrNum max(_time) as _time
I'm searching a large amount of data that will have duplicates from time to time, so DEDUP is required to get the distinctive d...
Hi
I am seeing some weirdness with one of the saved-searches that we have. One of these searches is of the form:
... | bucket span=1h _time | sistats median(field1), avg(field1) by _time,f...
Hello,
We're having about 200 daily summaries, and about a third of them are sistats based.
For resizing efforts, I wanted to get an overview of how much data each summary consumes on a daily b...
So, I was running ... | sistats count by host, source, sourcetype, field1, field2 and saving it to a summary index.
Then, I wanted to use the summary data to give me lists of hosts, s...
...9 xyz | 10 | 3 | 2 | 2 | 17 ColTotals | 22 | 5 | 6 | 3 | 36
But when I am changing stats to sistats to push into Summary Index, it is not producing any result, please help me with the query.
2...
I have a search to SI index=sec marker=01
sourcetype=cisco_firewall | bin _time span=5m | sistats count by log_level, hostname
When calling the results with
index=sec marker=01 | stats c...
I'm on Splunk Enterprise 6.6.1.
I run this search
| makeresults
| eval _time=now()
| bucket span=1d _time
| eval value=1
| sistats avg(value) as value by _time
But I'm not able to s...
I need to take already summarized data in the logs, aggregate it from a large group of servers, and build an si-type index. Looking at si-generated data from sistas fields, I have deduced the followi...