sirare
Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.
Description
The sirare
command is the summary indexing version of the rare
command, which returns the least common values of a field or combination of fields. The sirare
command populates a summary index with the statistics necessary to generate a rare report. After you populate the summary index, use the regular rare
command with the exact same search string as the rare
command search to report against it.
Syntax
sirare [<top-options>...] <field-list> [<by-clause>]
Required arguments
- <field-list>
- Syntax: <string>,...
- Description: Comma-delimited list of field names.
Optional arguments
- <by-clause>
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
- <top-options>
- Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
- Description: Options that specify the type and number of values to display. These are the same <top-options> used by the
rare
andtop
commands.
Top options
- countfield
- Syntax: countfield=<string>
- Description: Name of a new field to write the value of count.
- Default: "count"
- limit
- Syntax: limit=<int>
- Description: Specifies how many tuples to return, "0" returns all values.
- percentfield
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage.
- Default: "percent"
- showcount
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- showpercent
- Syntax: showpercent=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
Examples
Example 1:
Compute the necessary information to later do 'rare foo bar' on summary indexed results.
... | sirare foo bar
See also
sichart | sistats |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!