Databases Reference
In-Depth Information
To use these results in a summary index, you would simply eliminate results going
into your data set. One way to accomplish this might be:
source="impl_splunk_gen"
| sitop req_time
| streamstats count as place
| where place<2001
The first row produced by
sitop
contains the total value.
Another approach, using a combination of
eventstats
and
sistats
, is as follows:
source="impl_splunk_gen"
| eventstats count by req_time
| sort 0 -req_time
| streamstats count as place
| where place<2001
| sistats count by req_time
Luckily, this is not a terribly common problem, so most of this complexity can be
avoided. For another option, see the
Storing a running calculation
section.
Storing raw events in a summary index
Sometimes it is desirable to copy events to another index. I have seen a couple of
reasons for doing this, namely:
•
Differing retention
: If some special events need to be kept indefinitely, but
the index where they are initially captured rolls off after some period of time,
they can be captured into a summary index
•
Enrichment
: Sometimes the enrichment of data is too expensive to happen
with every query, or it is important to capture events with the values from
a lookup as the values existed at a particular point in time
The process is essentially the same as creating any summary index events. Follow
these steps:
1. Create a populating query.
2. Add interesting fields using the
fields
command.
3.
Add a
search_name
field to the search definition.
4.
Include
_time
, but rename
_raw
to
raw
.
Search WWH ::
Custom Search