First, let's define some new functions:
Sistats
:sistats
is the summary indexing version of the stats command, which calculates the aggregate statistics over the dataset.Sitop
:sitop
is the summary indexing version of thetop
command, which returns the most frequent value of a field or a combination of fields.Sitimechart
:sitimechart
is the summary indexing version of thetimechart
command, which creates a time-series chart visualization with the corresponding table of statistics.
So far, we have used the stats
command to populate our summary index. While this works perfectly well, the si*
variants have a couple of advantages:
The remaining portion of the query does not have to be rewritten. For instance,
stats count
still works as if you were counting the raw events.The stats
functions that require more data than what happened in that slice of time, will still work. For example, if your time slices each represent an hour, it is not possible to calculate...