Hello,
I would like to confirm my understanding on the following manual, and know how to get the max value from psrsvd_gc.
First I have saw this caution in the manual.
Caution: Use of these fields and their encoded data by any search commands other than the si* summary indexing commands is unsupported. The format and content of these fields can change at any time without warning.
I have understood that the psrsvd's field cound not be aggregated by streaming comand like stats,chart.
Is that collect?
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Usesummaryindexing
If that is collect, I have no idea how to aggregate the maximum value in summary index data.
The summary index data are created by the following search.
"index=_internal | sitimechart span=1m count by sourcetype"
And there are the following fields to be stored as event in "summary" by "Log event" function.
> psrsvd_gc=$result.psrsvd_gc$,> psrsvd_v=$result.psrsvd_v$
And I would like to search max value of "psrsvd_gc" per week.
I appreciate any tips and advice, suggestion.
Best regards,
↧