Knowledge Management

Unexpected behavior when graphing against a summary index

Branden
Builder

I've created the following saved search into a Summary Index:

index=access host="xyz" sourcetype="*access*" startminutesago=5 | sistats dc(remote_host) by source

There are three different web servers running, so there are three difference Weblogic access files involved.

When I run the search in Splunk normally (not against a summary index), it will produce a graph showing three lines, each one representing the Weblogic access file for that server. That's what I want. Here is the search I run:

index=access host="finch" sourcetype="*access*" | timechart dc(remote_host) by source

When I run it against the summary index, I get just a one line graph that shows the total hits of the three web servers. For the source, it gives it the label of the saved search. Here the search I run against the Summary Index:

index=summary report="webhits" | timechart dc(remote_host) by source

I also tried

index=summary report="webhits" | stats dc(remote_host) by source

with similar results.

Why can't the Summary Index search give me a graph with three lines? I find it odd that it sums it into one line and gives it the label of the saved search.

Any suggestions are appreciated.

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

It's a particular case of the field source being used up as the name of the summary search. You would need to use timechart dc(remote_host) by orig_source instead. You'd have a similar problem if host was one your summarized fields.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

It's a particular case of the field source being used up as the name of the summary search. You would need to use timechart dc(remote_host) by orig_source instead. You'd have a similar problem if host was one your summarized fields.

Branden
Builder

That did the trick, thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...