You cannot specify functions without applying them to fields or eval expressions that resolve into fields. You cannot use wildcards to specify field names. See Usage to learn more about using PREFIX(), and about searches you can run to find raw segments in your data. The following table lists the supported functions by type of function. Use the links in the table to see descriptions and examples for each function. For an overview about using functions with commands, see Statistical and charting functions. Optional arguments append Syntax: append= Description: When in prestats mode ( prestats=true), enables append=true where the prestats results append to existing results, instead of generating them. When you change the constraints that define a data model but the Splunk software has not fully updated the summaries to reflect that change, the summaries may have some data that matches the old definition and some data that matches the new definition.ĭefault: false allow_old_summaries Syntax: allow_old_summaries=true | false Description: Only applies when selecting from an accelerated data model. To return results from summary directories only when those directories are up-to-date, set this parameter to false. If the data model definition has changed, summary directories that are older than the new definition are not used when producing output from the tstats command. This default ensures that the output from tstats always reflects your current configuration. When set to true, the tstats command uses both current summary data and summary data that was generated prior to the definition change. This is an advanced performance feature for cases where you know that the old summaries are "good enough," meaning the old summary data is close enough to the new summary data that its results are reliable. See When the data model definition changes and your summaries have not been updated to match it in the Splunk Cloud Platform Knowledge Manager Manual. Default: false chunk_size Syntax: chunk_size= Description: Advanced option. This argument controls how many events are retrieved at a time from a single tsidx file when the Splunk software processes searches. Lower this setting from its default only when you find a particular tstats search is using too much memory, or when it infrequently returns events. This can happen when a search groups by excessively high-cardinality fields (fields with very large amounts of distinct values). In such situations, a lower chunk_size value can make tstats searches more responsive, but potentially slower to complete. However, a higher chunk_size can help long-running searches to complete faster, with the potential tradeoff of causing the search to be less responsive. For tstats, chunk_size cannot be set lower than 10000. The default value for the chunk_size argument is set by the chunk_size setting for the stanza in nf. ![]() If you have Splunk Cloud Platform, file a Support ticket to change this setting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |