Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.
sirare command is the summary indexing version of the
rare command, which returns the least common values of a field or combination of fields. The
sirare command populates a summary index with the statistics necessary to generate a rare report. After you populate the summary index, use the regular
rare command with the exact same search string as the
rare command search to report against it.
sirare [<top-options>...] <field-list> [<by-clause>]
- Syntax: <string>,...
- Description: Comma-delimited list of field names.
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
- Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
- Description: Options that specify the type and number of values to display. These are the same <top-options> used by the
- Syntax: countfield=<string>
- Description: Name of a new field to write the value of count.
- Default: "count"
- Syntax: limit=<int>
- Description: Specifies how many tuples to return, "0" returns all values.
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage.
- Default: "percent"
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- Syntax: showpercent=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
Compute the necessary information to later do 'rare foo bar' on summary indexed results.
... | sirare foo bar
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2012, 8.1.2011, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107, 8.2.2109