Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Understand TSIDX file

AliMaher
Path Finder
‎07-11-2024 09:23 AM

Hello Splunker,

Hope you had a great day!

as per the below picture :

STEP - Splunk Training and Enablement Platform- Data Models (eLearning)_4.mp4_20240704_233648.102.jpg

 

 

 

 

 

 

Q1:- I need to understand the exact process of creating the TSIDX file and its content and how actually it speeds the search?

Q2:- Why the size of the tsidx file is bigger than the raw data itself 35% /15%?

Q3:- what is the difference between tsidx file and datamodel summary?

I am expecting a long answer and more details, actually i like details!

Thanks in advance!

 

Labels (3)
0 Karma
Reply

tscroggins
Influencer
‎07-14-2024 07:49 AM

Hi @AliMaher,

Archived .conf content is a great place to start. Behind The Magnifying Glass: How Search Works by Jeff Champagne provides a nice overview, and TSTATS and PREFIX by Richard Morgan is fantastic.

Try searching conf.splunk.com using your favorite search engine for the term tsidx, e.g. using Google:

https://www.google.com/search?q=site%3Aconf.splunk.com+tsidx 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2024 10:03 AM

Q1. You don't need to understand the internal structure of the tsidx but it's useful to know what is being indexed and how it's being used in searching - it helps writing efficient searches.

Q2. Raw data is stored in compressed (gzipped if I remember correctly) form - hence the low footprint of "raw" data - 1/9th is the typical size of gzipped textual data.

Q3. That's a question akin to "what's a difference between a sports car and a red one" (apart from the obvious fact that red ones are the fastest ones 😉). But seriously. Tsidx is a file format used by Splunk to store its internal structures. Datamodel summary is a concept on a completely different level. In fact datamodel summaries are stored using tsidx files.

Reply

AliMaher
Path Finder
‎07-11-2024 12:12 PM

Great!
what is the datamodel summarization?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-12-2024 10:55 AM

In case of datamodel it's called acceleration. It's a process which runs a scheduled search extracting fields from datamodel data and indexing them in tsidx summary files for efficient searching later.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...