Reputation: 113
Splunk Summary Indexes - why does sistats not work like stats?
I have created a summary index. I am making use of "sistats count by <fields>" to populate all the fields required. And I see those fields as well.
The issue is - On this index I am trying to use chart command and also stats count(<field>) as test (chart command in one query and stats count in another query) but it's not working. There are no results returned. Instead, if I use the stats command and populate data to a summary index, both commands work.
Please let me know why chart and stats do not work on the summary index that I have created using sistats. [sichart is also not working]. Am I missing some technical information here?
Upvotes: 1
Views: 561
Answers (1)
Reputation: 9926
When the sistats or sichart command is used to write to a summary index, the exact same options must be used in the corresponding stats or chart command to read from the summary index. This somewhat limits what you can do with your summary data. Because of that and the issues you've experienced, most users avoid the si commands.
Upvotes: 2
Related Questions
- Splunk: I am trying to create report by writing a query but the values are not displaying under statistics. How can I resolve this?
- Using stats with a base query
- What do the summary index 'psrsvd' fields stand for?
- Splunk: indexes and metrics
- Splunk showing wrong index time
- stats latest not showing any value for field
- How to merge two stats by in Splunk?
- Sum of count with Splunk
- Calculate mean deviation with Splunk
- Splunk returns some queries much faster than others