Splunk Dev

how to initially setup a summary index ?

Skins
Path Finder

I have a report which is sloooow - seems like a good candidate for summary index. reading the docs it suggests configuring a saved search to run on an hourly basis to populate the previous hours data.

This dashboard panel will then show a months web transactions.

but how to set this up initially .. should i create a scheduled saved search to initially run over a month timeframe to initially populate the summary index - and then reconfigure to run hourly - or what ?

gratzi.

Tags (1)
0 Karma

deepashri_123
Motivator
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You would schedule it to run per your desired frequency, i.e. Hourly, to summary index data from now on. Then you would backfill the summary index for the desired duration, constrain by amount of raw data you've available. The backfill process can be found here:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Managesummaryindexgapsandoverlaps

The backfill can only be done for period you've actual/raw data available. The backfill period should be just before you scheduled it run.

ddrillic
Ultra Champion

Before you embark on a summary index journey, please consider report acceleration as it's a simpler feature and Splunk tries to stir us in this direction.

Skins
Path Finder

gratzi - accelerated the report and it gave me exactly what i was looking for.

0 Karma

paulbannister
Communicator

Hi There,

Short answer would be... both

Slightly longer answer depends of whether you want any historical data to work with/how long it will take to run the search over a months worth of data, or if you're happy to just populate with data from the time you click go

I'm assuming you've done everything you can to optimise the search you have, if that's the case then summary index is definitely the way to go

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...