![]() ![]() ![]() On three schedules, once a day, once a week and once a month. In this case finding the fault lines in the cases and breaking it up into 2 or more summary indexed searches can alleviate the kind of "runaway cross product" and get you back into good performance.Īnd last but not least there's the sort of caveman approach, of just running three summary index searches of search | stats dc(user_id) BY field1, field2, field3 A sign of this is if the summary index cases uses a lot of fields, but no single report that runs against that summary uses more than a couple. A 'null' field in Splunk has no contents (see fillnull) If you have the literal string ' null ' in your field, it has a value (namely, ' null ') If you do not want to count them, you need to filter them out before doing the stats dc (Field) For example, you could do this: search NOT Field'null.Sometimes a summary indexing use case gets a little overburdened. ![]() If the number of such unique combinations is equivalent to the number of events in your raw data, that's a cardinal sin and making this summary index is probably a bad idea that wont be much faster than running the reports raw. This would certainly work but it is indeed quite a lot of rows if there are a lot of unique combinations of user_id, field1, field2, and field3. On the other hand you could do search | stats count BY user_id, field1, field2, field3Īs your summary search. As such it wont have any idea how many of the 150 users it saw on one day are the same users it saw on any other day. The reason is that the sistats command isn't going to preserve the actual values of the user_id's, just what the distinct counts were for each combination of fields on that day. But for week and month granularities it wont work. Will work great if you only want to report on distinct counts at the day granularity. Populating a daily summary index search with the results of something like search | sistats dc(user_id) BY field1, field2, field3 The broader question here "what's the best way to count distinct count of X for each value of foo and bar", has the simple answer | stats dc(X) by foo barīut the question here is more about how to do this with summary indexing, which is complicated for distinct counts. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |