Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.
The summary indexing version of the
chart command. The
sichart command populates a summary index with the statistics necessary to generate a chart visualization. For example, it can create a column, line, area, or pie chart. After you populate the summary index, you can use the
chart command with the exact same search that you used with the
sichart command to search against the summary index.
sichart [sep=<string>] [format=<string>] [cont=<bool>] [limit=<int>] [agg=<stats-agg-term>] ( <stats-agg-term> | <sparkline-agg-term> | "("<eval-expression>")" )... [ BY <field> [<bins-options>... ] [<split-by-clause>] ] | [ OVER <field> [<bins-options>...] [BY <split-by-clause>] ]
For syntax descriptions, refer to the chart command.
For information about functions that you can use with the
sichart command, see Statistical and charting functions.
Compute the necessary information to later do 'chart avg(foo) by bar' on summary indexed results.
... | sichart avg(foo) by bar
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sichart command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5