https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653378#M596 <P>Hi,<BR /><BR />I'm working with a large amount of data.<BR />I wrote a main report that extracts all events (let's call them events A,B,C,D) from the last 30 days and do some manipulations for fields.<BR />And then i wrote 5 reports that filter the main saved report by events type and get only the relevant fields for each event:<BR />For example- the report for event A contain all fields relevant for event A,&nbsp;<BR />report for event B contains all fields relevant for event B and etc.&nbsp;<BR /><BR />My dashboard contains 5 tabs, one for each event (tab 1 for report A, tab 2 for report B,..), and triggers the relevant saved search report (reports A/B/C,..)<BR /><BR />Problems- all the reports run very slow<BR /><BR />My questions:<BR />1. How to read only delta data each time? i mean, how to not read 30 days each time at once, if the query was already run today and i execute it one more time it should read only new data and use the history data that have already read in the previous run.<BR /><BR />2. i read a bit about summary index. my reports extract all fields and not aggregate data. how to create my 6 reports (main+5 others) with summary index? As i said, - i use table command and not functions like top,count,.. in my query (my reports just extract relevant fields with some naming manipulations)<BR /><BR />* in case that you would recommend to use summary index i will appreciate if you could provide me example code, because i have 6 reports and not sure how work with summary index&nbsp;<BR /><BR />thanks,<BR />Maayan</P> Mon, 07 Aug 2023 18:56:06 GMT maayan 2023-08-07T18:56:06Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653378#M596 <P>Hi,<BR /><BR />I'm working with a large amount of data.<BR />I wrote a main report that extracts all events (let's call them events A,B,C,D) from the last 30 days and do some manipulations for fields.<BR />And then i wrote 5 reports that filter the main saved report by events type and get only the relevant fields for each event:<BR />For example- the report for event A contain all fields relevant for event A,&nbsp;<BR />report for event B contains all fields relevant for event B and etc.&nbsp;<BR /><BR />My dashboard contains 5 tabs, one for each event (tab 1 for report A, tab 2 for report B,..), and triggers the relevant saved search report (reports A/B/C,..)<BR /><BR />Problems- all the reports run very slow<BR /><BR />My questions:<BR />1. How to read only delta data each time? i mean, how to not read 30 days each time at once, if the query was already run today and i execute it one more time it should read only new data and use the history data that have already read in the previous run.<BR /><BR />2. i read a bit about summary index. my reports extract all fields and not aggregate data. how to create my 6 reports (main+5 others) with summary index? As i said, - i use table command and not functions like top,count,.. in my query (my reports just extract relevant fields with some naming manipulations)<BR /><BR />* in case that you would recommend to use summary index i will appreciate if you could provide me example code, because i have 6 reports and not sure how work with summary index&nbsp;<BR /><BR />thanks,<BR />Maayan</P> Mon, 07 Aug 2023 18:56:06 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653378#M596 maayan 2023-08-07T18:56:06Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653382#M597 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256320">@maayan</a>,</P><P>yes the solutions could be summary indexes or data models.</P><P>In bothe cases, you have to schedule a search, e.g. for&nbsp; report 1:</P><LI-CODE lang="markup">index=index1 | table _time field 1 field2, field3 | collect index=summary1</LI-CODE><P>the frequency dependa on your requirements.</P><P>then you can run a search on this index, e.g. calculate sum of field 2 for each field1:</P><LI-CODE lang="markup">index=summary1 | stats sum(field2) AS field2_sum BY field1</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Aug 2023 09:17:53 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653382#M597 gcusello 2023-08-07T09:17:53Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653393#M598 <P>ok, I will try,thanks!<BR /><BR />And regarding my first question, is it something that I can do in Splunk? (read delta data)<BR /><BR />And which method do you recommend to use in my case? data model or summary index?<BR /><BR />thanks</P> Mon, 07 Aug 2023 10:48:59 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653393#M598 maayan 2023-08-07T10:48:59Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653394#M599 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256320">@maayan</a>,</P><P>yes, you can calculate delta, global and partial sum, etc...</P><P>the main job is building the scheduled search to extract the requested data.</P><P>in my opinion, I'd use summary index, scheduling the population search with the frequency you need (e.g. every month or every night.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Aug 2023 11:03:42 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653394#M599 gcusello 2023-08-07T11:03:42Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653550#M600 <P>Thanks&nbsp;Gcusello!<BR />Can you explain more about: "<SPAN>you can calculate delta, global and partial sum, etc..."&nbsp; ?<BR />I didn't find documentation and also asked in other communities and nobody knows.</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Tue, 08 Aug 2023 09:00:56 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/653550#M600 maayan 2023-08-08T09:00:56Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/654177#M601 <P>Hi, i tried to implement the summary index as you suggested but i had a problem to extract the original fields from the main query. i read that i might use stats and stats. i posted a new post. maybe you can help. thanks</P> Sun, 13 Aug 2023 09:36:28 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/654177#M601 maayan 2023-08-13T09:36:28Z https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/654198#M602 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256320">@maayan</a>,</P><P>it all depends on the data you have (that I don't know), so e.g. if field1 is the hostname and field2 is the CPU utilization, you save with the scheduled search the CPU utilization min, max and avg day by day.</P><LI-CODE lang="markup">index=index1 | stats min(CPU) AS min_CPU max(CPU) AS max_CPU avg(CPU) AS avg_CPU BY host | collect index=summary1</LI-CODE><P>then you can calculate (using the normal commands as stats or timechart) the max, the avg and the min in a month&nbsp;&nbsp;</P><LI-CODE lang="markup">index=summary1 | stats min(min_CPU) AS min_CPU max(max_CPU) AS max_CPU avg(avg_CPU) AS avg_CPU BY host</LI-CODE><P>As I said, it depends on the data that you added to you summary index.</P><P>Ciao.</P><P>Giuseppe</P> Sun, 13 Aug 2023 14:25:28 GMT https://community.splunk.com/t5/Other-Usage/Summary-index-for-non-aggregated-data-How-to-read-only-delta/m-p/654198#M602 gcusello 2023-08-13T14:25:28Z