I have a simple query:
eventtype=request | stats sum(http_bytes) as transfer by http_domain | head 50 | sort -transfer
I'd like to summarize this, and pull out transfer apps over time. When I tried with:
eventtype=request | sistats sum(http_bytes) as transfer by http_domain | sort -transfer | head 100
This query gives me questionable results:
index="summary" search_name="Z - Top App Transfer - 15 minutes" | stats sum(http_bytes) as bytes by http_domain | sort -bytes | eval bytes = tostring(bytes, "commas") | head 50
The reason I'm summing http_bytes in the query is the sistats didn't seem to store the field "transfer".
Any obvious things I'm doing wrong?
You should store to your summary index:
eventtype=request | sistats sum(http_bytes) as transfer by http_domain
You should retrieve from your summary index:
index=summary source=<saved_search_name> | stats sum(http_bytes) as transfer by http_domain | sort -transfer | eval transfer = tostring(transfer, "commas") | head 50
Specifically, you're not allowed to do any processing between sistats and the corresponding stats, except saving and retrieving the event set.
You should store to your summary index:
eventtype=request | sistats sum(http_bytes) as transfer by http_domain
You should retrieve from your summary index:
index=summary source=<saved_search_name> | stats sum(http_bytes) as transfer by http_domain | sort -transfer | eval transfer = tostring(transfer, "commas") | head 50
Specifically, you're not allowed to do any processing between sistats and the corresponding stats, except saving and retrieving the event set.