Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Understand TSIDX file

AliMaher
Path Finder
‎07-11-2024 09:23 AM

Hello Splunker,

Hope you had a great day!

as per the below picture :

STEP - Splunk Training and Enablement Platform- Data Models (eLearning)_4.mp4_20240704_233648.102.jpg

 

 

 

 

 

 

Q1:- I need to understand the exact process of creating the TSIDX file and its content and how actually it speeds the search?

Q2:- Why the size of the tsidx file is bigger than the raw data itself 35% /15%?

Q3:- what is the difference between tsidx file and datamodel summary?

I am expecting a long answer and more details, actually i like details!

Thanks in advance!

 

Labels (3)
0 Karma
Reply

tscroggins
Influencer
‎07-14-2024 07:49 AM

Hi @AliMaher,

Archived .conf content is a great place to start. Behind The Magnifying Glass: How Search Works by Jeff Champagne provides a nice overview, and TSTATS and PREFIX by Richard Morgan is fantastic.

Try searching conf.splunk.com using your favorite search engine for the term tsidx, e.g. using Google:

https://www.google.com/search?q=site%3Aconf.splunk.com+tsidx 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2024 10:03 AM

Q1. You don't need to understand the internal structure of the tsidx but it's useful to know what is being indexed and how it's being used in searching - it helps writing efficient searches.

Q2. Raw data is stored in compressed (gzipped if I remember correctly) form - hence the low footprint of "raw" data - 1/9th is the typical size of gzipped textual data.

Q3. That's a question akin to "what's a difference between a sports car and a red one" (apart from the obvious fact that red ones are the fastest ones 😉). But seriously. Tsidx is a file format used by Splunk to store its internal structures. Datamodel summary is a concept on a completely different level. In fact datamodel summaries are stored using tsidx files.

Reply

AliMaher
Path Finder
‎07-11-2024 12:12 PM

Great!
what is the datamodel summarization?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-12-2024 10:55 AM

In case of datamodel it's called acceleration. It's a process which runs a scheduled search extracting fields from datamodel data and indexing them in tsidx summary files for efficient searching later.

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...