Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to reuse existing summary index data further

sumitnagal
Path Finder
‎11-18-2011 01:22 PM

We are reporting daily new user added in system. WE have recently moved to summary indexing and we are getting data. Now as we are moving forward, is there a way we can reuse existing summary index data and current reporting.
For example
We are adding 25 user daily, so for a month we have added 750 users. Now when I will move to next month is there a way I can reuse this data, such that when any time I want to know how many users logged in till date. I can add all months data (I have restriction not to keep more then 3 months data in hot storage) in my current months tally. Also I am reporting numbers for this month too.
Here is some query I am using.
index=summary search="test" |bin span=7d _time | dedup puserid | stats dc(puserid)

My search "test" is running hourly and giving me new users in terms of puserid.

Tags (1)
0 Karma
Reply

lpolo
Motivator
‎11-23-2011 10:20 AM

If your sampling rate is hourly, your summary index in a year will have a total number of samples equal to 24 samples_per_day * 365 = 8760 events. Your summary index should be able to handle this. So, I do not see any problem.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...