Splunk Search

My first summary index - what am I doing wrong with the stats command?

alexoldman
Explorer

Dear Splunk gurus,

I am trying to use Summary Indexing to improve reporting times for a Print Analytics dashboard. To this end, I am "upgrading" a search for Summary Indexing, but I've got stuck on a simple problem with the stats sum command. Here is the story so far:

My original search was:

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | stats sum(pgs)

This examines the Windows system event log for print events, then performs a regex looking for a decimal number of pages and returns this as a value called "pgs", finally it totals the number of pages. If I run this for the period "yesterday" I get a value of 15247 pages printed. All good so far.

Now modifying that search, replacing the stats command with summary index friendly sistats command I get:

SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | sistats sum(pgs)

I immediately observed that I am getting much more returned that my page count sum. The search returns the following dataset:

psrsvd_ct_pgs 4018  
psrsvd_gc 4692  
psrsvd_nc_pgs 4018  
psrsvd_sm_pgs 15247 
psrsvd_ss_pgs 672921    
psrsvd_v 1
psrsvd_vt_pgs 0

I am annoyed that these returns are not documented. By inspection I can see that the value I require is "psrsvd_sm_pgs 15247", which is a numeric. I also note that "psrsvd_gc 4692" is the total number of events examined. I have no idea what the other fields mean.

Anyway, ignoring the other numbers, I created a saved search as per the Splunk documentation instructions Usesummaryindexing. I add the field report="Summary_total_pages_printed_yesterday" to my search, so I can extract it from the Summary index just fine. This I am pleased to report, works as I expect it to.

My saved search executes at midnight and I can get the results returned just fine by running:

index="summary" report="Summary_total_pages_printed_yesterday" 

on the time period of Yesterday. The dataset returned is this:

05/11/2011 00:00:00, search_name="Summary - total pages printed yesterday", search_now=1305154800.000, info_min_time=1305068400.000, info_max_time=1305154800.000, info_search_time=1305154963.926, psrsvd_ct_pgs=4018, psrsvd_gc=4692, psrsvd_nc_pgs=4018, psrsvd_sm_pgs=15247, psrsvd_ss_pgs=672921, psrsvd_v=1, psrsvd_vt_pgs=0, report="Summary_total_pages_printed_yesterday"

The problem arises when I try to run

 index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(psrsvd_sm_pgs)

on the time period of Yesterday, or last week, both of which returns no results. I am expecting a stats sum command to work on summary index information, like in search, but it is not.

Can anyone tell me what I am doing wrong?

Once I crack this, it's a simply thing to update my dashboard and run reports looking at a whole month.

I am using Splunk 4.2.1.

Thanks
Alex

Tags (3)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

Have you tried it like this:

index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(pgs)

View solution in original post

alexoldman
Explorer

That has resolved the problem.

0 Karma

bhawkins1
Communicator

I downvoted this post because misuse of answer

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

Have you tried it like this:

index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(pgs)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...