Refine your search:

Use of psrsvd fields in summary index

0

Is there any danger using psrsvd_vm_* type fields? Are they likely to change?

Use case:
I didn't need a count by siteid before, so I didn't include that in the sistats call that populates the summary. This reduced the number of entries in the summary index greatly. I did need dc(siteid), though, so the counts are actually there in the psrsvd_vm_siteid field. With a little juggling, I can rip those values back apart and use them like so.

... | eval _raw=psrsvd_vm_siteid | rex max_match=1000000 "(?<s>.*?;.*?);" | mvexpand s | eval _raw=s | fields -* -_* | rex "(?<siteid>.*?);(?<count>.*)" | stats count by siteid

Is there any danger in this?

asked 28 Sep '11, 10:52

vbumgarner's gravatar image

vbumgarner
1.8k210
accept rate: 23%

Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×150
×46

Asked: 28 Sep '11, 10:52

Seen: 422 times

Last updated: 28 Sep '11, 10:52

Related questions

Custom summary index not showing up in "select the summary index" dropdown

how do you configure the searchead so it sends summary index data to a summary index defined on distributed indexers?

Summary-Indexing not writing to summary-index.

summary index and transactions spanning more than one summary interval

Missing fields in summary index

What do the summary index fields stand for?

Eval fields not making it to Summary index when stats is used.

Populating a summary index with transactions while preserving fields.

Summary Index Not Updating

Copyright © 2005-2012 Splunk, Inc. All rights reserved.