O'Reilly logo

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence by Vincent Bumgarner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Using sistats, sitop, and sitimechart

So far we have used the stats command to populate our summary index. While this works perfectly well, the si* variants have a couple of advantages:

  • The remaining portion of the query does not have to be rewritten. For instance, stats count still works as if you were counting the raw events.
  • stats functions that require more data than what happened in that slice of time will still work. For example, if your time slices each represent an hour, it is not possible to calculate the average value for a day using nothing but the average of each hour. sistats keeps enough information to make this work.

There are a few fairly serious disadvantages to be aware of:

  • The query using the summary index must use a subset of ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required