First, let's define some new functions:
sistats
:sistats
is the summary indexing version of thestats
command, which calculates the aggregate statistics over the datasetsitop
: This is the summary indexing version of thetop
command, which returns the most frequent value of a field or a combination of fieldssitimechart
:sitimechart
is the summary indexing version of thetimechart
command, which creates a time series chart visualization with the corresponding table of statistics
So far, we have used the stats
command to populate our summary index. While this works very well, the si*
variants have a couple of advantages:
- The remaining portion of the query does not have to be rewritten. For instance,
stats count
still works as if you were counting the raw events. - The
stats
functions that require more data than what happened in that slice of time, will still work. For example, if your time slices each represent an hour, it is not possible to calculate the average...