Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Tsidx stats

No description
by

bill chung

on 31 October 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Tsidx stats

How it works
Remember what tsidx files are?
Keywords => raw data.
Only indexed fields have “key=value”

Tscollect events to "key=value" data.
Search time field extraction
Brings unstructured data to structured


Changes in Bubbles
Using
summarize
command
distributed
datamodel
Indexed fields
contains the info in original tsidx files now
no need to collect for indexed fields
Collect data to $SID dir
Summary
tstats
fast
run stats on extra tsidx files
indexed fields (bubbles)
distributed (bubbles)
sid and datamodel (bubbles)
TSIDX STATS
What is it?
A new style of stats
Works like SQL
|
tstats
<aggregate>
from
<namespace>

where
<condition>
by|groupby
<field>

select
<aggregate>
from
<table>

where
<condition>
groupby
<field>
Since Ace, not Bubbles
hidden feature of Ace
some changes in Bubbles
how to use it?
Collect events:
<search> | tscollect namespace=<name>
Stored in:
$SPLUNK_DB/tsidxstats/<namespace>
"key=value" pairs table
search:
| tstats
<agg-opt>
from
<namespace>

[
prestats=
<bool> ] [
where
<condition>] [
by|groupby
<field>]
Summarize
Distributed collection
collect data in indexer itself
also used for datamodel acceleration

Usage:
| summarize tstats=t id=<namespace> [<search>]
Stored in:
$SPLUNK_DB/<index>/datamodel_summary/$peer/$searchhead/<namespace>
| tstats <agg-opt> summariesonly=true [local=<bool>]
| tstats <agg-opt> from datamodel=<datamodel>
Indexed fields
Information stored in original tsidx files
size is larger than Ace
Ace:
23701.08
(16191.8 + 7509.28)
Bubbles:
23686.50

tstats without specifying namespace
search default indexes
e.g., "
| tstats count
" will give the event counts
internal fields
Splunk doesnt recommend using indexed fields
Bill Chung<cchung@splunk.com>
Why do we need it?
Fast! Stupid fast!
1000x faster than regular stats

7870.494
(Ace-stats)

1567.529
(Bubbles-stats)

3.957
(Bubbles-tstats)
Leverage the power of structural data
Agenda
What’s tsidx stats, a.k.a. tstats?
Why do we need it?
How it works?
Changes in bubbles
Summary
Demo
dispatch dir
tscollect without namespace
<search> | tscollect
Stored in:
$SPLUNK_HOME/var/run/splunk/dispatch/$SID/tsdixstats

Search with sid
| tstats <agg-opt> from sid=<sid>
Full transcript