Is it more efficient to search in the main index w...

vijaykumartcs · ‎09-27-2017

i have created a dashboard with 6 panel's, with last 7days time frame (from today) for transaction's count between the A-b, B-c, C-D applications, daily more than 1lakh + transactions are flowing, no i want to use summary index for improving the performance.

As summary index run's fast searches, My requirement is, i want to use the regular index for capturing today's data and for last 6 days it should capture the data from summary index.

Please help me with the queries and commands which i can use.

harsmarvania57 · ‎09-27-2017

Hi @vijaykumartcs,

You can use append command in your splunk query so your query will be index=<index name> earliest=@d latest=now .... your search..... | append [ search index=<summary index> earliest=-7d@d latest=@d ..... your search ..... ]

You can change earlist and latest value based on your requirement.

Thanks,
Harshil

Is it more efficient to search in the main index with data from the summary index?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Is it more efficient to search in the main index with data from the summary index?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>