https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139717#M3130 <P>Those methods A and B are not supposed to complete each others they are just 2 ways to achieve the same thing.</P> <P>A - The "Summary indexing" is like generating events in a new index.<BR /> It's is perfect to generate a new set of pre-calculated data, and keep it for a longer retention.<BR /> example : having millions of web acccess logs in an index with a short retention, and every day summarize them as a number of hit per day, store in an dedicated index with a long retention. At the end you will only keep this information.<BR /> The only difficulty is if a scheduled search is skipped, you may have a gap to backfill</P> <P>B - Report acceleration is for searches only, it precaculate them for you.<BR /> Example : having a long statistical search over a long period to populate a dashboard. Accelerate it to run all the time in the background , and load faster.</P> <P>C - Data model acceleration is only usefull if you already have a datamodel. They are usually heavier to run, so accelerating them will help. <BR /> Example : the Common Information Model (CIM) comes with many datamodels, once the volume is large, the searches are slower. When the acceleration is turned on (depending of thebackfill range), it will be faster for the recent days.</P> Tue, 17 Nov 2015 15:55:24 GMT yannK 2015-11-17T15:55:24Z https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139713#M3126 <P>They are many features using objects named <STRONG>"summary"</STRONG>, this is confusing, please clarify.</P> <P>what are the differences between all those paths ?</P> <PRE><CODE>$SPLUNK_HOME/var/lib/splunk/summary/db $SPLUNK_HOME/var/lib/splunk/defaultdb/summary $SPLUNK_HOME/var/lib/splunk/defaultdb/datamodel_summary </CODE></PRE> <P>In savedsearches, what means <CODE>auto_summarize</CODE> and <CODE>alert.action=summary</CODE></P> Thu, 25 Sep 2014 01:18:55 GMT https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139713#M3126 mataharry 2014-09-25T01:18:55Z https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139714#M3127 <P>To clarify there are 3 features named "summary" in splunk, :</P> <P>A - <STRONG>Summary indexing</STRONG> : classic since splunk 4.*</P> <UL> <LI>populated by scheduled searches, can use special "si*" stats commands (use the parameter alert.action=summary in savedsearches.conf)</LI> <LI>results are saved in the spooler and reindexed with the sourcetype stash_new</LI> <LI>stored in an index of your choice. </LI> <LI>an index named "summary" is shipped with splunk by default ($SPLUNK_HOME/var/lib/splunk/summary/db)</LI> <LI>the results have to be retrieved with special searches syntax</LI> <LI>docs : <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Usesummaryindexing" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Usesummaryindexing</A></LI> </UL> <P>B - <STRONG>Report acceleration</STRONG> : introduced on splunk 5.*</P> <UL> <LI>Some searches can be accelerated, (use the parameter auto_summarize=true in savedsearches.conf)</LI> <LI>for each index a folder named "summary" is created at the same level than the homePath. ( example $SPLUNK_HOME/var/lib/splunk/defaultdb/summary)</LI> <LI>The acceleration is transparent.</LI> <LI>docs <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Aboutsummaryindexing#Report_acceleration" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Aboutsummaryindexing#Report_acceleration</A></LI> </UL> <P>C - <STRONG>Data model acceleration</STRONG> : introduced on splunk 6.*</P> <UL> <LI>the data models can be accelerated, (use the parameter acceleration=true in datamodels.conf)</LI> <LI>the results are stored per index in the folder named "datamodel_summary" at the same level than the homePath. (example $SPLUNK_HOME/var/lib/splunk/defaultdb/datamodel_summary )</LI> <LI>The acceleration rely on tstats commands and is transparent.</LI> <LI>docs : <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Aboutsummaryindexing#Data_model_acceleration" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Aboutsummaryindexing#Data_model_acceleration</A></LI> </UL> <P>Remark : none of those features counts on your license usage, but they can add some extra search load to generate the summarized data.</P> Mon, 28 Sep 2020 17:41:48 GMT https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139714#M3127 yannK 2020-09-28T17:41:48Z https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139715#M3128 <P>@yannK - Is there anyway you could explain these in more of a conceptual vs. a mechanical way?</P> Tue, 17 Nov 2015 15:19:26 GMT https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139715#M3128 jaredlaney 2015-11-17T15:19:26Z https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139716#M3129 <P>For example, maybe explain if one is more like an additional index vs. one being a cache? Maybe some good cases of when to use one vs. when to use another.</P> Tue, 17 Nov 2015 15:20:26 GMT https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139716#M3129 jaredlaney 2015-11-17T15:20:26Z https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139717#M3130 <P>Those methods A and B are not supposed to complete each others they are just 2 ways to achieve the same thing.</P> <P>A - The "Summary indexing" is like generating events in a new index.<BR /> It's is perfect to generate a new set of pre-calculated data, and keep it for a longer retention.<BR /> example : having millions of web acccess logs in an index with a short retention, and every day summarize them as a number of hit per day, store in an dedicated index with a long retention. At the end you will only keep this information.<BR /> The only difficulty is if a scheduled search is skipped, you may have a gap to backfill</P> <P>B - Report acceleration is for searches only, it precaculate them for you.<BR /> Example : having a long statistical search over a long period to populate a dashboard. Accelerate it to run all the time in the background , and load faster.</P> <P>C - Data model acceleration is only usefull if you already have a datamodel. They are usually heavier to run, so accelerating them will help. <BR /> Example : the Common Information Model (CIM) comes with many datamodels, once the volume is large, the searches are slower. When the acceleration is turned on (depending of thebackfill range), it will be faster for the recent days.</P> Tue, 17 Nov 2015 15:55:24 GMT https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139717#M3130 yannK 2015-11-17T15:55:24Z https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139718#M3131 <P>yannK mentioned the following</P> <BLOCKQUOTE> <P>an index named "summary" is shipped with splunk by default ($SPLUNK_HOME/var/lib/splunk/summary/db)</P> </BLOCKQUOTE> <P>I believe it's $SPLUNK_HOME/var/lib/splunk/summarydb, not $SPLUNK_HOME/var/lib/splunk/summary/db. Notice that there is no backslash between "summary" and "db".</P> Tue, 29 Sep 2020 12:02:11 GMT https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139718#M3131 mic 2020-09-29T12:02:11Z