Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using multiple summary indexes

sc0tt
Builder
‎06-18-2013 02:22 PM

Our reporting needs are starting to grow so I am planning on creating new summaries and would like to use best practices to manage these summaries while trying to plan ahead as best as possible. I came across another post (here) about using multiple indexes for managing summaries. Based on the answer, I plan use the same structure and create 3 separate indexes (summary_5m, summary_1h, summary_1d).

Is this a good practice? Are there any other methods that may be better?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emotz
Splunk Employee
Splunk Employee
‎08-16-2013 07:59 AM

Yes, it is a good practice. The objective of summary indexing in general is to reduce the amount of data to be searched/processed by an order of magnitude. Assuming that you would be using these summaries to provide dashboards and in the future trending either month over month or year over year, you will need some level of granularity to support those use cases.

In general data that will be searched together and is of the same type should only be put into another index for security (one group can see and and others should not) or for retention (you want to keep certain data longer than others, maybe for compliance reasons). Given that, if you need to keep the less than 1 hour summary information for 90 days and the 1 hour summary for 2 years and the 1d summary forever, they should all be put into different indexes.

Happy summarizing,
reduce, reuse, recycle

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

emotz
Splunk Employee
Splunk Employee
‎08-16-2013 07:59 AM

Yes, it is a good practice. The objective of summary indexing in general is to reduce the amount of data to be searched/processed by an order of magnitude. Assuming that you would be using these summaries to provide dashboards and in the future trending either month over month or year over year, you will need some level of granularity to support those use cases.

In general data that will be searched together and is of the same type should only be put into another index for security (one group can see and and others should not) or for retention (you want to keep certain data longer than others, maybe for compliance reasons). Given that, if you need to keep the less than 1 hour summary information for 90 days and the 1 hour summary for 2 years and the 1d summary forever, they should all be put into different indexes.

Happy summarizing,
reduce, reuse, recycle

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎09-19-2013 04:23 AM

Thanks for your response and insight.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...