Thursday, January 12, 2012

Splunk PSRVD files

Summary indexing in Splunk produces a lot of psrsvd_* fields. And below is the explanation of what they actually stand for.
  • psrsvd_ct_bytes
  • psrsvd_gc
  • psrsvd_nc_bytes
  • psrsvd_sm_bytes
  • psrsvd_ss_bytes
  • psrsvd_v
  • psrsvd_vt_bytes

psrsvd stands for "prestats reserved"

These fields are an artifact of using the si* version of reporting commands. The fields are specially named so that on retrieval from the summary index, the reporting command (chart/timechart/stats) can properly decode the information.

The general pattern is psrsvd_[type]_[fieldname], although some types are not scoped to a field
1.       ct = count
2.       gc = group count (the count for a stats "grouping", not scoped to a field)
3.       nc = numerical count (number of numerical values)
4.       sm = sum
5.       ss = sum of squares
6.       v = version (not scoped to a field)
7.       vt = value type (contains the precision of this field)
So for example, the count for a field named 'foobar' is stored as psrsvd_ct_foobar.