I have the following search which works fine:
sourcetype=my_sourcetype some_filter |bucket _time span=1d | timechart count by some_field
Verifying decomposition into 1h bins works fine as well and matches the above.
sourcetype=my_sourcetype some_filter |bucket _time span=1h | sitimechart count by some_field | bucket _time span=1d|timechart count by some_field
Created saved search:
sourcetype=my_sourcetype some_filter |bucket _time span=1h | sitimechart count by calc_severity
Then back-filling summary index using:
./splunk cmd python fill_summary_index.py -app my_app -name my_search -et my_start_time -lt my_end_time -dedup true -auth my_user:my_pass
populating the summary index.
However, trying to regenerate the chart using :
index=summary source=my_source | bucket _time span=1d | timechart count by some_field
produces wrong chart as the values are much greater then the originals.
It seems to me that the values in summary index are factored by permutations of the values of some_field
.
Please advise
Thanks
A few observations:
A few observations:
Thanks much, switched to accelerated.