Databases Reference
In-Depth Information
If we have done everything correctly, the results should be identical to the
original table:
To actually run this query, we simply remove
testmode
from
collect
, as follows:
source="impl_splunk_gen"
| bucket span=1h _time
| eval error=if(loglevel="ERROR",1,0)
| sistats count avg(req_time) dc(ip) sum(error) by _time user
| eval search_name="summary - user stats"
| collect index=summary_impl_splunk
Beware that you will end up with duplicate values if you use the
collect
command over a time frame that already has results in the
summary index. Either use a custom time frame to ensure you do not
produce duplicates, or investigate the
delete
command, which as
mentioned earlier, is not efficient, and should be avoided if possible.
No results will be available until the query is complete and the file created behind
the scenes is indexed. On my installation, querying one month of data, the query
inspected 2.2 million events in 173 seconds, producing 2,619 summary events.
Let's use the summary data now:
index=summary_impl_splunk
search_name="summary - hourly user stats - collect test"
| timechart sum(error) by user
Search WWH ::
Custom Search