Can/Should I create a summary index from Hunk?

Ultra Champion

We have the claims virtual index of 1.3 billion claims in Hunk.

In order to find all related hospice claims in 2014 - 2016, I ran the following.

index=claims *hospice* prov_state="XX"
| eval withinTimeFrame2014=if(like(detail_svc_date, "%2014%"), 1, 0)
| eval withinTimeFrame2015=if(like(detail_svc_date, "%2015%"), 1, 0)
| eval withinTimeFrame2016=if(like(detail_svc_date, "%2016%"), 1, 0)
| where withinTimeFrame2014=1 OR withinTimeFrame2015=1 OR withinTimeFrame2016=1
| table *

It returns around half a million claims.

It seems to me that an easy access to the result-set can be done via a summary index.

Does it make sense?

If so, how do I create a summary index for this query from Hunk?

Tags (2)
0 Karma

Ultra Champion

According to Caching Hadoop Data with Splunk and Hunk

Summary Indexing is a good choice.

alt text

0 Karma