yes. Thanks for the advice.

Could you explain what you did to add your data to the summary index?
Did you end up changing the search string to use a reporting command? Or somehow used the collect command to place your data in the summary index?

just form the concatenation of the result data and keep as _raw data custom summary index
this is workaround basically which is also good solution

....... | eval newraw=newtime . " report=\"" . report. "\",logtime=\"" . logtime . "\",origsource=\"" ...
| eval _raw=newraw | collect index=my_summary

Report acceleration simply doesn't get the job done. My queries still take hours to run.

I understand that things could be "even faster" if I summarized my output more, but I need the details and _raw. Even if I end my query with stats count by a, b,c,d - for some reason I still don't get those fields in my summary index.

So the point is that I can get a 10x faster query by the simple expedient of creating a new summary index and annotating the input _raw with the set of calculated fields that I need and feeding that data into a new index.

But it seems that no matter what I try Splunk refuses to feed the calculated fields into the new summary index and retains only the original input events, which is actually worse because the original source field is lost, which as you can see I need to extract a field from.

Can we please go back to my original question: How can I feed the output from my query into a new index that retains all my calculated fields?

Sure - if you're including _raw then you need to add your calculated field to the _raw text. That way they stop being transient fields in that search and instead will be added to the summary index. There they will get search-time extracted, so it's easiest to add them as key="value".

Thanks for hanging in there with questions: I generated the results like this: ... |
eval newraw=newtime . " report=\"" . report. "\" logtime=\"" . logtime . "\" origsource=\"" . source . "\" upload_date=\"" . upload_date . "\" uploadtime=\"" . uploadtime . "\" orighost=\"" . host . "\"" | eval _raw=newraw | collect index=eng_summary3

The events are in eng_summary3 with sourcetype="stash" as I would expect, but when I query them the fields are not extracted as expected. I'm using query mode "verbose" (and "smart").

Is there something about sourcetype="stash" that changes or blocks search-time field extraction?

P.S. in the actual query string I am escaping the double quotes internal to the string constants, but when pasted here the escape \ characters were removed.

I tried this with a time range (1w) that returned ~500k events. The events scanned vs. matched are very close (<500 difference in 500k), but pulling those 500k events from the big index took 486 seconds. Pulling them from the "summary" took 30 seconds.

[Except of course that my summary doesn't have the original source field I need]

Is there any good documentation on how splunk indexes it's data? As shown here, it seems to take forever to find things in my large indexes.

Thanks for the reply - please be a patient for another question:

this won't reduce the amount of data that needs to be loaded because no summarizing is happening. You're just copying stuff elsewhere.

I don't understand this comment. I understand it won't reduce the amount of data I need for the results I want, but I do expect it to reduce the total I/O for the entire search by a factor of 98-99% since I won't be scanning an index with the rows that I know I don't want.

For example, suppose the original source index has 1700m rows and is 90GB, but the "summary" only has ~5m rows and is 100MB. 100MB may not be tiny, but it seems like it should be a lot faster just because there is less data to search. I think my mental model for how Splunk searches an index must be very broken.

How does Splunk pull the right 5m rows out of the original 1.7 billion as quickly as it can scan 5m rows in a separate index?

The string I'm searching for is a multi word string, like this: "crashhandler.sh: crash detected, recovery complete"

(updated counts)

I probably misunderstand the purpose of a summary index, but, here's why I thought this was a good idea. Please correct my misunderstandings.

I expect a summary here to be faster compared to searching over the original data because:
(a) I don't have to run the match on _raw over 100m's of records to get the 1-2% I want since they will be tagged with a single field (report) in a smaller overall index.
(b) I don't have to re-run the rex for every reporting query I do since I have already done that conversion
(c) I want to feed this data set into multiple summarizing queries and I don't want to incur the large scan costs over and over.

Running just this query over the time horizon I need takes many hours, so I'm looking for anything I can do to make the development of my final summary queries faster.

I don't mind getting the timestamp and _raw - I just don't understand why I get none of my other fields...?

If I look in the results.csv.gz file in the dispatch folder for the scheduled job, they look correct (all the fields are there). But for some reason they are not in the target index when I query it.