We would like to benefit from the performance benefit of an accelerated data model, however, we also need to summarize data from the accelerated data model into a summary index.
I would like to use sistats with an accelerated data model. Is this possible? There doesn't seem to be any commands that will allow for this.
You'll find tstats
is just that, specify the data model with the FROM
keyword and go.
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/tstats