Databases Reference
In-Depth Information
Now, we could save this and send it straight to the summary index, but the results
are not terribly nice to use, and the average of the average would not be accurate.
On the other hand, we can use the
sistats
variant as follows:
sourcetype=impl_splunk_gen
| sistats count max(req_time) avg(req_time) min(req_time) by user
The results have a lot of extra information not meant for humans as shown in the
following screenshot:
Splunk knows how to deal with these results, and can use them in combination with
the
stats
functions as if they were the original results. You can see how
sistats
and
stats
work together by chaining them together, as follows:
sourcetype=impl_splunk_gen
| sistats
count max(req_time) avg(req_time) min(req_time)
by user
| stats count max(req_time) avg(req_time) min(req_time) by user
Even though the
stats
function is not receiving the original events, it knows how to
work with these
sistats
summary events. We are presented with exactly the same
results as the original query, as shown in the following screenshot:
sitop
and
sitimechart
work in the same fashion.
Search WWH ::
Custom Search