Splunk Search

Summary Indexing and Sort Orders

Kyle_Brandt
Path Finder

I am somewhat confused on how to set up my searches to populate my summary index. For example, two of the reports will have similar data but different sort orders:

starthoursago="2" endhoursago="1" eventtype="HAProxy Web Logs" | sistats count, sum(HTTP_HAPROXY_BYTES_SENT) by HTTP_CLIENT_IP | sort by count desc | head 2000

vs

starthoursago="2" endhoursago="1" eventtype="HAProxy Web Logs" | sistats count, sum(HTTP_HAPROXY_BYTES_SENT) by HTTP_CLIENT_IP | sort by sum(HTTP_HAPROXY_BYTES_SENT) | head 2000

Should I somehow be combing these two searches and then running the sorts from search against the summary index?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes. There is not much point in sorting the summarized data. You should sort when you retrieve the data from the summary. Summarization is not for saving a report, but rather for saving data.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...