- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I know the title of my system index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have read through the documentation and still feel that I am missing something with creating an index summary. I want to use sistats and have my data setup how I want it to generate the index summary. How would I know what the summary is named or how do I generate an index summary for where my data will get stored. I might have missed a key point but I done see how if I use sistats I know how to reference my data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a summary index is just like any other index
for creating, setting, and all other purposes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a summary index is just like any other index
for creating, setting, and all other purposes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So at the end of the search if I have sistats. How would I then search that index? I might need to read up on indexing more but I am looking to speed searching the data. Using sistats seems that it would allow me to search just that data but I am not sure how I would then search it after. Is it more of a behind the scenes item where my search will simply be faste?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@adonio thank you. I checked these before and it clicked better this time. Will this persist data also? We have about a 3 month limit. I am creating a manual dataset to persist for a longer timerange. Do indexes keep data longer also or only accelerate reporting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can set index to whatever retention period you want
retention is limited by either time or size, whatever comes first
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes a lot more sense thank you. I think half the confusion has come from me not having the access to create an index.
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
Incident Response: Reduce Incident Recurrence with Automated Ticket Creation
