Hi,
We are planning to implement summary indexing in our dashboards. As part of it, I have created a scheduled search below which would give us time by hosts, and have enabled summary indexing for this report.
Provided: Summaryindex name to : testhadoop
Added fields as: index=index1
index=index1 sourcetype="st:*:s1:s2"
| rex field=Real "(?\d+)m" | rex field=Real "\d+m(?\d+)\.\d+" | rex field=Real "\d+m\d+\.(?\d+)"
| eval rt=min.":".sec.".".ms | convert mstime(rt) as seconds timeformat=%m:%s.%N
| eval seconds=round(seconds,2) | timechart avg(seconds) as secs by Host | eval Baseline=3|
and then we have created a dashboard with the search below:
index=index1 sourcetype="st:*:s1:s2" | rex field=Real "(?\d+)m"
| rex field=Real "\d+m(?\d+)\.\d+" | rex field=Real "\d+m\d+\.(?\d+)" | eval rt=min.":".sec.".".ms | convert mstime(rt) as seconds timeformat=%m:%s.%N
| eval seconds=round(seconds,2) | sitimechart avg(seconds) as secs by Host | eval Baseline=3|collect index=testhadoop testmode=true
But this is not retrieving us the result we want. Instead, it is inserting new fields where these fields are not available in our raw data, but when we use above search, these additional fields are being displayed:
psrsvd_ct_seconds psrsvd_gc psrsvd_nc_seconds
Can someone please assist on it? We are actually new to Summary Indexing and planning to implement it.
Thanks in advance.
↧