Splunk Search

Summary Indexing and Sort Orders

Kyle_Brandt
Path Finder

I am somewhat confused on how to set up my searches to populate my summary index. For example, two of the reports will have similar data but different sort orders:

starthoursago="2" endhoursago="1" eventtype="HAProxy Web Logs" | sistats count, sum(HTTP_HAPROXY_BYTES_SENT) by HTTP_CLIENT_IP | sort by count desc | head 2000

vs

starthoursago="2" endhoursago="1" eventtype="HAProxy Web Logs" | sistats count, sum(HTTP_HAPROXY_BYTES_SENT) by HTTP_CLIENT_IP | sort by sum(HTTP_HAPROXY_BYTES_SENT) | head 2000

Should I somehow be combing these two searches and then running the sorts from search against the summary index?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes. There is not much point in sorting the summarized data. You should sort when you retrieve the data from the summary. Summarization is not for saving a report, but rather for saving data.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...