Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best ways to report on large volumes of data?

mlevsh
Builder
‎07-02-2019 02:23 PM

Hi,

For Service-Now dashboards we need to report on large volumes of data (one year of data to be precise).
Is summary index the best way to prevent slowness of dashboards?

To get all panels on the dashboards "Active tickets", "Active Tickets aged more than 60 days", "Not Updated tickets", etc - we would need to search on all available data for an year.

Thank you in advance

Reply
2 Solutions
Solved! Jump to solution
Solution

bandit
Motivator
‎07-02-2019 03:08 PM

Datamodel/tstats would be my first choice as they can be updated/rebuilt when you have maintenance or changes to the fields you are reporting on. Data models can only retain data as long as the source index.

Summary indexes can live indefinitely however may need manual intervention to backfill data gaps during maintenance windows or failures.

Metrics/mcollect/mstats is the newest and fastest method for historical metrics but lacks some of the automation of a data model.

Lastly there are lookup tables/CSVs and the kvstore that sometimes work well for edge use cases where you have a frequently changing datcache however won't work with the default time picker

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-05-2019 05:29 PM

A summary index is perfect for this use case, but so is an accelerated data model. You should be able to prototype both in the same day if you know your data and outcomes well, so play around and enjoy the exercise.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-05-2019 05:29 PM

A summary index is perfect for this use case, but so is an accelerated data model. You should be able to prototype both in the same day if you know your data and outcomes well, so play around and enjoy the exercise.

Reply
Solved! Jump to solution

mlevsh
Builder
‎07-17-2019 12:27 PM

@woodcock a delayed thank you!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-17-2019 12:28 PM

Which way did you go and why?

0 Karma
Reply
Solved! Jump to solution
Solution

bandit
Motivator
‎07-02-2019 03:08 PM

Datamodel/tstats would be my first choice as they can be updated/rebuilt when you have maintenance or changes to the fields you are reporting on. Data models can only retain data as long as the source index.

Summary indexes can live indefinitely however may need manual intervention to backfill data gaps during maintenance windows or failures.

Metrics/mcollect/mstats is the newest and fastest method for historical metrics but lacks some of the automation of a data model.

Lastly there are lookup tables/CSVs and the kvstore that sometimes work well for edge use cases where you have a frequently changing datcache however won't work with the default time picker

Reply
Solved! Jump to solution

mlevsh
Builder
‎07-17-2019 12:28 PM

@rob_jordan , delayed thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...