Databases Reference
In-Depth Information
Using collect to produce custom summary
indexes
If the number of events destined for your summary index could be represented
in a single report, we can use the
collect
function to create our own summary
index entries directly. This has the advantage that we can build our index in one
shot, which could be much faster than running the backfill script, which must run
one search per slice of time. For instance, if you want to calculate 15-minute slices
over a month, the script will fire off 2,880 queries.
If you dig into the code that actually produces summary indexes, you will find that
it uses the
collect
command to store events into the specified index. The
collect
command is available to us, and with a little knowledge, we can use it directly.
First, we need to build a query that slices our data by buckets of time as follows:
source="impl_splunk_gen"
| bucket span=1h _time
| stats count by _time user
This gives us a simple table as shown in the following screenshot:
Notice that there is a row per slice of time, and each user that produced events
during that slice of time.
Let's add a few more fields for interest:
source="impl_splunk_gen"
| bucket span=1h _time
| eval error=if(loglevel="ERROR",1,0)
| stats count avg(req_time) dc(ip) sum(error) by _time user
Search WWH ::
Custom Search