The sistats command is one of several commands that you can use to create summary indexes. It is the summary indexing version of stats command.
Let’s take an example to illustrate how sistats command works.
We have sample superstore data and we are calculating maximum profit according to region.
If we want to store it in summary index we use collect command.
If we want to view the results by using same query in summary index it will not show any results as max of max(Profit) doesn’t make any sense.
This is where sistats comes to help us out. Instead of using stats command while storing results into summary index use sistats command. Sistats command stores necessary information to generate the results as expected. It have some additional fields as shown below.
Now if we query the summary index for max profit of region we get the same results as if we are querying raw index.
Sichart is summary indexing version of chart command. It populates a summary index with the statistics necessary to generate chart visualizations.
It resolves same issue of querying summary index as sistats does in above example.
We are able to query summary index to get results as desired.
Sirare command is the summary indexing version of the rare command, which returns the least common values of a field or combination of fields. It populates a summary index with the statistics necessary to generate a rare report.
Like sistats and sichart we can then query summary index for desired results.
If you are still facing issue regarding splunk commands Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉