Answers for "Graphing or bucketing a summary indexed query"
https://answers.splunk.com/answers/7868/graphing-or-bucketing-a-summary-indexed-query.html
The latest answers for the question "Graphing or bucketing a summary indexed query"Answer by Stephen Sorkin
https://answers.splunk.com/answering/7886/view.html
<p>How are you populating the summary index? If you're using "... | sitop http_domain" then the "... | top" is really the only valid thing you can do.</p>
<p>On the other hand, if you store the summary manually, say "... | stats count by http_domain", then you should be able to compute "... | timechart sum(count) by http_domain".</p>
<p>Calculating "... | top 50 http_domain" is a bit harder, say "... | stats sum(count) as count by http_domain | sort - count | head 50" and is even harder if you want percents, where you'll have to add "... | eventstats sum(count) as sum_count | eval percent = count / sum_count | fields - sum_count | ..." between the stats and the sort.</p>Wed, 13 Oct 2010 11:07:19 GMTStephen Sorkin