I've created the following saved search into a Summary Index:
index=access host="xyz" sourcetype="*access*" startminutesago=5 | sistats dc(remote_host) by source
There are three different web servers running, so there are three difference Weblogic access files involved.
When I run the search in Splunk normally (not against a summary index), it will produce a graph showing three lines, each one representing the Weblogic access file for that server. That's what I want. Here is the search I run:
index=access host="finch" sourcetype="*access*" | timechart dc(remote_host) by source
When I run it against the summary index, I get just a one line graph that shows the total hits of the three web servers. For the source, it gives it the label of the saved search. Here the search I run against the Summary Index:
index=summary report="webhits" | timechart dc(remote_host) by source
I also tried
index=summary report="webhits" | stats dc(remote_host) by source
with similar results.
Why can't the Summary Index search give me a graph with three lines? I find it odd that it sums it into one line and gives it the label of the saved search.
Any suggestions are appreciated.
It's a particular case of the field source
being used up as the name of the summary search. You would need to use timechart dc(remote_host) by orig_source
instead. You'd have a similar problem if host
was one your summarized fields.
It's a particular case of the field source
being used up as the name of the summary search. You would need to use timechart dc(remote_host) by orig_source
instead. You'd have a similar problem if host
was one your summarized fields.
That did the trick, thanks!