https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77080#M1761 <P>Hello fellow splunkers,</P> <P>I have a large dataset that I am searching through, and I want to create a historical timechart which goes back for several months. Because of the size of the dataset, having a search which goes that far back is impracticable (or at least impractical). </P> <P>My solution was to schedule a daily search which would save the results from the last 24 hours. After 3 months, for example, I would have 90 saved results which each only contain a simple count of the number of events, and my chart could therefore simply graph the counts from each saved result, with each one being a datapoint. I'd just set the TTL for the saved results to be 90 days.</P> <P>I'm fairly new to Splunk, but this seems like it would be a pretty basic feature, so I feel like I'm missing something. The closest I've gotten is using something like <EM>| append loadjob savedsearch=foo</EM>, but that will only add a single saved result, unless <EM>foo</EM> is somehow a "living" result which always has the results from the past 90 days.</P> <P>I've heard of summary indexes for dealing with large datasets, and I'll research them to see if it's what I need, but I was hoping for a relatively simple solution which could be carried out within the Splunk web interface.</P> <P>Thanks in advance, and sorry if this has been answered before.</P> Fri, 15 Jun 2012 20:19:07 GMT rereeser 2012-06-15T20:19:07Z https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77080#M1761 <P>Hello fellow splunkers,</P> <P>I have a large dataset that I am searching through, and I want to create a historical timechart which goes back for several months. Because of the size of the dataset, having a search which goes that far back is impracticable (or at least impractical). </P> <P>My solution was to schedule a daily search which would save the results from the last 24 hours. After 3 months, for example, I would have 90 saved results which each only contain a simple count of the number of events, and my chart could therefore simply graph the counts from each saved result, with each one being a datapoint. I'd just set the TTL for the saved results to be 90 days.</P> <P>I'm fairly new to Splunk, but this seems like it would be a pretty basic feature, so I feel like I'm missing something. The closest I've gotten is using something like <EM>| append loadjob savedsearch=foo</EM>, but that will only add a single saved result, unless <EM>foo</EM> is somehow a "living" result which always has the results from the past 90 days.</P> <P>I've heard of summary indexes for dealing with large datasets, and I'll research them to see if it's what I need, but I was hoping for a relatively simple solution which could be carried out within the Splunk web interface.</P> <P>Thanks in advance, and sorry if this has been answered before.</P> Fri, 15 Jun 2012 20:19:07 GMT https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77080#M1761 rereeser 2012-06-15T20:19:07Z https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77081#M1762 <P>What you're trying to do is essentially summary indexing. Basically, you take your daily scheduled search and instead of sending the output to display, you send it to a separate index. Then in three months, you run your output search against the summary index so it only has to deal with 90 datapoints. </P> <P>This is all configurable in the UI. <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing">Details are here</A></P> Fri, 15 Jun 2012 20:56:02 GMT https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77081#M1762 emiller42 2012-06-15T20:56:02Z https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77082#M1763 <P>Great, thanks. I guess I initially misunderstood how summary indexing worked.</P> Mon, 18 Jun 2012 16:22:40 GMT https://community.splunk.com/t5/Reporting/Graphing-scheduled-saved-search-results/m-p/77082#M1763 rereeser 2012-06-18T16:22:40Z