Databases Reference
In-Depth Information
Using summary index events in a query
After the query to populate the summary index has run for some time, we can use
the results in other queries.
If you're in a hurry, or need to report against slices of time before the query
was created, you will need to "backill" your summary index. See the
How and
when to backfill summary data
section for details about calculating summary values
for past events.
First, let's look at what actually goes into the summary index:
08/15/2012 10:00:00, search_name="summary - count by user",
search_now=1345046520.000, info_min_time=1345042800.000, info_max_
time=1345046400.000, info_search_time=1345050512.340, count=17,
user=mary
Breaking this event down, we have:
•
08/15/2012 10:00:00
: This is the time at the beginning of this block of data.
This is consistent with how
timechart
and
bucket
work.
•
search_name="summary - count by user"
: This is the name of the search.
This is usually the easiest way to find the results you are interested in.
•
search_now ... info_search_time
: These are informational fields about
the summary entry, and are generally not useful to users.
•
count=17, user=mary
: The rest of the entry will be whatever fields were
produced by the populating query. There will be one summary event per
row produced by the populating query.
Now let's build a query against this data. To start the query, we need to specify the
name of the index and the name of the search:
index="summary_impl_splunk" search_name="summary - count by user"
On my machine, this query loads 48 events, compared to the 22,477 original events.
Using
stats
, we can quickly find the statistics by
user
:
index="summary_impl_splunk" | stats sum(count) count by user
Search WWH ::
Custom Search