Using sistats, sitop, and sitimechart
First, let's define some new functions:
Sistats
:sistats
is the summary indexing version of the stats command, which calculates the aggregate statistics over the dataset.Sitop
:sitop
is the summary indexing version of thetop
command, which returns the most frequent value of a field or a combination of fields.Sitimechart
:sitimechart
is the summary indexing version of thetimechart
command, which creates a time-series chart visualization with the corresponding table of statistics.
So far, we have used the stats
command to populate our summary index. While this works perfectly well, the si*
variants have a couple of advantages:
- The remaining portion of the query does not have to be rewritten. For instance,
stats ...
Get Implementing Splunk - Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.