Databases Reference
In-Depth Information
This produces a very simple table, as shown in the following screenshot:
We are calculating
sum(count)
and
count
in this query, which you might expect
to produce the same number, but they are doing very different things:
•
sum(count)
: If you look back at our raw event,
count
contains the number
of times that user appeared in that slice of time. We are storing the raw value
in this count field. See the
Using sistats, sitop, and sitimechart
section for a
completely different approach.
•
count
: This actually represents the number of events in the summary index.
The generator that is producing these events is not very random, so all users
produce at least one event per hour.
Producing a timechart is no more complicated:
index="summary_impl_splunk" | timechart span=1h sum(count) by user
This produces our graph as shown in the following screenshot:
Search WWH ::
Custom Search