We're using tstats on accelerated datamodels, and it works like a charm...when using metadata fields (_time, host etc.)
*"Use the tstats command to perform statistical queries on indexed fields in tsidx files. The indexed fields can be from normal index data, tscollect data, or accelerated data models."*
*"Data model acceleration summaries are composed of multiple time-series index files [...] Each .tsidx file contains records of the indexed field::value combos in the selected dataset and all of the index locations of those field::value combos [...]*"
I assumed all I needed to do was to set INDEXED_EXTRACTIONS on a sourcetype, create a datamodel of said sourcetype, accelerate it and query/aggregate on my custom fields.
EDIT: I can't post links, but I realize that there's more to the process than my naive one-liner.
Is the documentation posted here the way to go? -> /Documentation/SplunkCloud/latest/Data/Configureindex-timefieldextraction
EDIT2: *"WRITE_META = true writes the extracted field name and value to _meta, which is where Splunk stores indexed fields.*"
Wait, so is custom indexed extractions actually just new metadata? (in which case the description of how tstats works seems misleading..)
Any pointers or help appreciated.
↧