- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- How does a scheduled report interval affect the su...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a soar platform that will fetch events from a splunk summary index - which is feed by multiple scheduled searches. These scheduled searches have various schedules and the soar will fetch from the summary index via rest api of a search head. We also use the summary index for historic searching over longer periods of time, like day/weeks vs minutes or hours.
My question is whether a scheduled report with a short interval vs long interval would have a negative impact on either the accuracy or performance of a search against the summary index?
In other words, how does the interval of a scheduled search impact a summary index?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The interval of the populating search determines the time-granularity and the availability of the data there. If you are running daily, you can create buckets of any size up to daily. For example, you can create 24 1-hour aggregation events but the availability will always be 1-day late(r). If you are running hourly and creating hourly aggregation events then the availability will be 1-hour late(r). Another impact is the impact of 1 search every day vs 24 searches every day. The last impact is that running hourly will consume 24X the space on disk. So:
* Data availability
* Data granularity
* Impact on disk
* Impact on infrastructure performance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The interval of the populating search determines the time-granularity and the availability of the data there. If you are running daily, you can create buckets of any size up to daily. For example, you can create 24 1-hour aggregation events but the availability will always be 1-day late(r). If you are running hourly and creating hourly aggregation events then the availability will be 1-hour late(r). Another impact is the impact of 1 search every day vs 24 searches every day. The last impact is that running hourly will consume 24X the space on disk. So:
* Data availability
* Data granularity
* Impact on disk
* Impact on infrastructure performance
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
