Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see Overview of summary-based search acceleration and Use summary indexing for increased reporting efficiency in the Knowledge Manager Manual.
sitop command is the summary indexing version of the
top command, which returns the most frequent value of a field or combination of fields. The
sitop command populates a summary index with the statistics necessary to generate a top report. After you populate the summary index, use the regular
top command with the exact same search string as the
sitop command search to report against it.
sitop [<N>] [<top-options>...] <field-list> [<by-clause>]
Note: This is the exact same syntax as that of the
- Syntax: <field>, ...
- Description: Comma-delimited list of field names.
- Syntax: <int>
- Description: The number of results to return.
- Syntax: countfield=<string> | limit=<int> | otherstr=<string> | percentfield=<string> | showcount=<bool> | showperc=<bool> | useother=<bool>
- Description: Options for the
sitopcommand. See Top options.
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
- Syntax: countfield=<string>
- Description: The name of a new field that the value of count is written to.
- Default: count
- Syntax: limit=<int>
- Description: Specifies how many tuples to return, "0" returns all values.
- Default: "10"
- Syntax: otherstr=<string>
- Description: If useother is true, specify the value that is written into the row representing all other values.
- Default: "OTHER"
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage.
- Default: "percent"
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- Syntax: showperc=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
- Syntax: useother=<bool>
- Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff.
- Default: false
Compute the necessary information to later do 'top foo bar' on summary indexed results.
... | sitop foo bar
Populate a summary index with the top source IP addresses in a scheduled search that runs daily:
eventtype=firewall | sitop src_ip
Save the search as, "Summary - firewall top src_ip".
Later, when you want to retrieve that information and report on it, run this search over the past year:
index=summary search_name="summary - firewall top src_ip" |top src_ip
Additionally, because this search specifies the search name, it filters out other data that have been placed in the summary index by other summary indexing searches.
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303
Feedback submitted, thanks!