Knowledge Management

Splunk summary indexing for critical data

Path Finder

Hi together,

I'am using summary indexing to aggregate big amounts of critical data in 5 minute frames.

Now I'am asking myself is summary-indexing for critical (business) data a good solution by scheduled timeframes?

What is splunk doing if there is e.g. a maintenanance window about 1 hour? Is there a gap in the data? What is the best practise how to handle these cases to avoid gaps?

Best regards
Steffen

Tags (3)
0 Karma

Path Finder

Great, thank you for this link.

But I see chapter: "Searches that run longer than their scheduled intervals:"

From my understanding there could by some cases where it's not direct visible for me, if there occurs some gaps?

So acceleration is the prefered way to handle critical data? I can try this.

Best regards...

0 Karma

Motivator

It depends,

Report Acceleration has some limitations and maybe don fit your needs.

Regarding the searches running longer than the scheduled intervals. You could run a search to check this and alert if needed.

Regards

0 Karma

Motivator

Hello

Yes, if the scheduled search to summarize the data is not executed, you will get gaps. Those gaps can be filled running the backfill command:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps

Did you tried report acceleration? It does something simmilar but without need of managing the gaps.

Regards