Databases Reference
In-Depth Information
This gives us a table as shown in the following screenshot:
Now, to get ready for our summary index, we switch to
sistats
, and add a
search_
name
field as the saved search would. Use
testmode
to make sure everything is
working as expected, as follows:
source="impl_splunk_gen"
| bucket span=1h _time
| eval error=if(loglevel="ERROR",1,0)
| sistats count avg(req_time) dc(ip) sum(error) by _time user
| eval search_name="summary - user stats"
| collect index=summary_impl_splunk testmode=true
The results of this query show us what will actually be written to the summary
index, but as this is not designed for humans, let's simply test the round trip by
adding the original
stats
statement to the end, as follows:
source="impl_splunk_gen"
| bucket span=1h _time
| eval error=if(loglevel="ERROR",1,0)
| sistats count avg(req_time) dc(ip) sum(error) by _time user
| eval search_name="summary - hourly user stats - collect test"
| collect index=summary_impl_splunk testmode=true
| stats count avg(req_time) dc(ip) sum(error) by _time user
Search WWH ::
Custom Search