Splunk Search

Summary index for rolling 30d count not working as expected

craigcook
New Member

I've just started using summary indexes - I have two searches that work as expected on querying data in just the previous day.

I also what a job that queries our unique users over the previous 30 days

Here is my summary query:

event=login 
| sistats dc(user_id)

In the UI for Time range I have: from: -30d@d to: @d

and this runs every day at midnight

What I think this does:

query the login events
count the distinct ids for the previous 30 days

store them in a summary index using sistats

My retrieval query is:

event=login 
| stats dc(user_id) by _time

What I expect this to do:

return the summarized 30 day distinct count day over day

What I get:
the summarized value for 30 days : SUCCESS!

the timestamp for the count is 30 days ago and not the date of the summary run

Can someone point me to what I am doing wrong? I don't understand why the timestamp is 30 days ago and not the date of the scheduled run

Tags (1)
0 Karma

craigcook
New Member

I found the following thread:

sistats vs stats

I will try this approach and see if it works better. Ultimately I was building two indexes one for daily and one for 30 days, but this link suggests to use the same index as data for both.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...