Dear Splunk gurus,
I am trying to use Summary Indexing to improve reporting times for a Print Analytics dashboard. To this end, I am "upgrading" a search for Summary Indexing, but I've got stuck on a simple problem with the stats sum command. Here is the story so far:
My original search was:
SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | stats sum(pgs)
This examines the Windows system event log for print events, then performs a regex looking for a decimal number of pages and returns this as a value called "pgs", finally it totals the number of pages. If I run this for the period "yesterday" I get a value of 15247 pages printed. All good so far.
Now modifying that search, replacing the stats command with summary index friendly sistats command I get:
SourceName=Print source=*WinEventLog:System | rex "pages printed: (?<pgs>\d+)" | sistats sum(pgs)
I immediately observed that I am getting much more returned that my page count sum. The search returns the following dataset:
psrsvd_ct_pgs 4018
psrsvd_gc 4692
psrsvd_nc_pgs 4018
psrsvd_sm_pgs 15247
psrsvd_ss_pgs 672921
psrsvd_v 1
psrsvd_vt_pgs 0
I am annoyed that these returns are not documented. By inspection I can see that the value I require is "psrsvd_sm_pgs 15247
", which is a numeric. I also note that "psrsvd_gc 4692
" is the total number of events examined. I have no idea what the other fields mean.
Anyway, ignoring the other numbers, I created a saved search as per the Splunk documentation instructions Usesummaryindexing. I add the field report="Summary_total_pages_printed_yesterday
" to my search, so I can extract it from the Summary index just fine. This I am pleased to report, works as I expect it to.
My saved search executes at midnight and I can get the results returned just fine by running:
index="summary" report="Summary_total_pages_printed_yesterday"
on the time period of Yesterday. The dataset returned is this:
05/11/2011 00:00:00, search_name="Summary - total pages printed yesterday", search_now=1305154800.000, info_min_time=1305068400.000, info_max_time=1305154800.000, info_search_time=1305154963.926, psrsvd_ct_pgs=4018, psrsvd_gc=4692, psrsvd_nc_pgs=4018, psrsvd_sm_pgs=15247, psrsvd_ss_pgs=672921, psrsvd_v=1, psrsvd_vt_pgs=0, report="Summary_total_pages_printed_yesterday"
The problem arises when I try to run
index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(psrsvd_sm_pgs)
on the time period of Yesterday, or last week, both of which returns no results. I am expecting a stats sum command to work on summary index information, like in search, but it is not.
Can anyone tell me what I am doing wrong?
Once I crack this, it's a simply thing to update my dashboard and run reports looking at a whole month.
I am using Splunk 4.2.1.
Thanks
Alex
Have you tried it like this:
index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(pgs)
That has resolved the problem.
I downvoted this post because misuse of answer
Have you tried it like this:
index="summary" report="Summary_total_pages_printed_yesterday" | stats sum(pgs)