Using sistats, sitop, and sitimechart
So far we have used the stats command to populate our summary index. While this works perfectly well, the si* variants have a couple of
advantages:
The remaining portion of the query does not have to be rewritten. For instance,
stats countstill works as if you were counting the raw events.statsfunctions that require more data than what happened in that slice of time will still work. For example, if your time slices each represent an hour, it is not possible to calculate the average value for a day using nothing but the average of each hour.sistatskeeps enough information to make this work.
There are a few fairly serious disadvantages to be aware of:
The query using the summary index must use a subset of the functions and split fields that were in the original populating query. If the subsequent query strays from what is in the original
sistatsdata, the results may be unexpected and difficult to debug. For example:The following code works fine:
source...
