3

Summary indexing in Splunk produces a lot of psrsvd_* fields. What do they stand for? I presume they're acronyms or abbreviations. Here are some examples when averaging the number of bytes returned per client IP, as logged by apache (ie sistats avg(bytes) by clientip):

  • psrsvd_ct_bytes
  • psrsvd_gc
  • psrsvd_nc_bytes
  • psrsvd_sm_bytes
  • psrsvd_ss_bytes
  • psrsvd_v
  • psrsvd_vt_bytes
Simon Chiang
  • 835
  • 1
  • 8
  • 14

2 Answers2

4

These fields are an artifact of using the si* version of reporting commands. The fields are specially named so that on retrieval from the summary index, the reporting command (chart/timechart/stats) can properly decode the information.

psrsvd stands for "prestats reserved"

The general pattern is psrsvd_[type]_[fieldname], although some types are not scoped to a field

ct = count
gc = group count (the count for a stats "grouping", not scoped to a field)
nc = numerical count (number of numerical values)
sm = sum
ss = sum of squares
v = version (not scoped to a field)
vt = value type (contains the precision of this field)

So for example, the count for a field named 'foobar' is stored as psrsvd_ct_foobar.

Steve
  • 56
  • 1
1

Here's an updated list, which is now highlighted in Splunk docs:

  • ct = count
  • gc = group count (the count for a stats "grouping," not scoped to a single field.
  • nc = numerical count (number of numerical values)
  • nn = minimum numerical value
  • nx = maximum numerical value
  • rd = rdigest of values (values a the number of times they appear)
  • sm = sum
  • sn = minimum lexicographical value
  • ss = sum of squares
  • sx = maximum lexicographical value
  • v = version (not scoped to a single field)
  • vm = value map (all distinct values for the field and the number of times they appear)
  • vt = value type (contains the precision of the associated field)
Lowell
  • 363
  • 4
  • 10