Knowledge Management

summary index issue

karche
Path Finder

I have created a summary index, from the following query (i called it base query), and the summary index configured to run every 15min, time range is -17 to -2 mins.

source= | sistats avg(response_time) count by source, server_name, status_code, application

When i compare the result between the summary index and the base query in the same period, like yesterday with\without the 15 mins windows adjustment. There is a huge difference in the results, it does not matter count by source, server_name, status_code or application by itself.

source= | stats count by source
vs
index=summary search_name="summary_web_sistats" | stats count by source

What i did wrong here? Does anyone have the same issue using summary index?

Thanks in advance

Tags (1)
0 Karma

Takajian
Builder

I have never faced the same issue, but I sometimes see similar issue in my labo. As for my case, timestamp of indexed log was not correct or splunk took time to index the data due to some reasons. I am not sure if these factor is related to your case. But if timestamp of log or indexing time is not accurate, this affect summary index results.

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...