I'm trying to set up a summary index using the sitimechart command.
I read a lot about it, in the docs and in this forum, but couldn't find the solution yet.
My search is as follow:
index=_internal service=A level=30
| timechart span=1m avg(durationMS) count
Now, this search return a timechart with the duratoin and count in every minute.
When running it with a summary index, I get different result
index=_internal service=A level=30
| sitimechart span=1m avg(durationMS) count
I get all the psrsvd fields, without the actual count and durationMS.
It seems I need to calculate it again from psrsvd_ct_durationMS and psrsvd_sm_durationMS, which is not what I want.
The docs says that I should be able to run the same search on the summary index and get the same results.
What am I missing?
Summary statistics need to be written to a summary index. Later, use the timechart command to read those summary stats from the summary index.
index=_internal cpu_seconds=*
| sitimechart span=1m avg(cpu_seconds) count
| collect sistats
index=sistats
| timechart span=1m avg(cpu_seconds) count
sample:
index=_internal sourcetype=splunkd
| sitimechart span=1m avg(largest_size) count
| timechart span=1m avg(largest_size) count
reference:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing
It seems to be fine to continue with timechart.
recommend:
index=_internal service=A level=30
| sitimechart span=1m avg(durationMS) count
| timechart span=1m avg(durationMS) count