Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best ways to report on large volumes of data?

mlevsh
Builder
‎07-02-2019 02:23 PM

Hi,

For Service-Now dashboards we need to report on large volumes of data (one year of data to be precise).
Is summary index the best way to prevent slowness of dashboards?

To get all panels on the dashboards "Active tickets", "Active Tickets aged more than 60 days", "Not Updated tickets", etc - we would need to search on all available data for an year.

Thank you in advance

Reply
2 Solutions
Solved! Jump to solution
Solution

bandit
Motivator
‎07-02-2019 03:08 PM

Datamodel/tstats would be my first choice as they can be updated/rebuilt when you have maintenance or changes to the fields you are reporting on. Data models can only retain data as long as the source index.

Summary indexes can live indefinitely however may need manual intervention to backfill data gaps during maintenance windows or failures.

Metrics/mcollect/mstats is the newest and fastest method for historical metrics but lacks some of the automation of a data model.

Lastly there are lookup tables/CSVs and the kvstore that sometimes work well for edge use cases where you have a frequently changing datcache however won't work with the default time picker

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-05-2019 05:29 PM

A summary index is perfect for this use case, but so is an accelerated data model. You should be able to prototype both in the same day if you know your data and outcomes well, so play around and enjoy the exercise.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-05-2019 05:29 PM

A summary index is perfect for this use case, but so is an accelerated data model. You should be able to prototype both in the same day if you know your data and outcomes well, so play around and enjoy the exercise.

Reply
Solved! Jump to solution

mlevsh
Builder
‎07-17-2019 12:27 PM

@woodcock a delayed thank you!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-17-2019 12:28 PM

Which way did you go and why?

0 Karma
Reply
Solved! Jump to solution
Solution

bandit
Motivator
‎07-02-2019 03:08 PM

Datamodel/tstats would be my first choice as they can be updated/rebuilt when you have maintenance or changes to the fields you are reporting on. Data models can only retain data as long as the source index.

Summary indexes can live indefinitely however may need manual intervention to backfill data gaps during maintenance windows or failures.

Metrics/mcollect/mstats is the newest and fastest method for historical metrics but lacks some of the automation of a data model.

Lastly there are lookup tables/CSVs and the kvstore that sometimes work well for edge use cases where you have a frequently changing datcache however won't work with the default time picker

Reply
Solved! Jump to solution

mlevsh
Builder
‎07-17-2019 12:28 PM

@rob_jordan , delayed thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...