Re: Switch indexes to create a report for today an...

vijaykumartcs · ‎09-25-2017

I want to create report for last 7 days data, which should take last 6 days data from the summary index and for today's data it should take other index, by Switch Indexes.

is there a possibility?

gcusello · ‎09-25-2017

Hi vijaykumartcs,
use append to add events from your second index to the result from summary index:

| tstats count FROM your_summary_index GROUPBY field1, field2, field3
| append [search your_index earliest="-d@d" latest=now]
| table field1, field2, field3

using -7d@d and -d@d as earliest and latest in main search.
Bye.
Giuseppe

vijaykumartcs · ‎09-27-2017

can i use the same command for dashboards to.. i have created a dashboard with 6 panel's, with last 7days time frame for transaction's count between the A-b, B-c, C-D applications, daily more than 1lakh + transactions are flowing , now i want to use summary index for improving the performance.

gcusello · ‎09-27-2017

Hi vijaykumartcs,
I'm not sure to have understood your request.
Using the same logic: instead table you can use the calculations and elaboration to have the output you want.
Bye.
Giuseppe

rjthibod · ‎09-25-2017

Yes it is. It requires using append, join, union, or some other SPL command to combine the result sets together.

Can you share more information about how you search the data and what transforms you are applying to get the final result? The more you share, the more likely the community can give you a very detailed answer.

Switch indexes to create a report for today and the previous 6 days?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...