Knowledge Management

real-time monitoring on indexes , indexed summary

sbsbb
Builder

I have a couple of fields that I want to being able to search very quickly, because they are in XML files, and at search-time it takes too long.

So I thought, the best way is to extract this fields at index-time...

Now My questions :
- can I make a real-time search on that index fields ? (I've seen the normal way for splunk is to do realtime search directly before the indexer has done his job, but if I'm indexing the fields anyway, it make sense to search on that).

  • is it possible to automatically index the results of a real-time search as summary, so I can see on the one hand the actual situation on a real-time dashboard, and on the other hand, I'm able to request the same information from yesterday for example (without having to compute the result anymore) ?

  • Is it possible to define how long each indexed summary is kept ? The same for index database table ? Can I keep a summary longer as the indexed Datasource ?

Could you also say me what solution for that I have in 4.3.3 and 5 ?

gkanapathy
Splunk Employee
Splunk Employee

it is most likely not helpful for you to create index-time fields to improve search speed. there are probably more effective methods, but that would depend on your data and the query.

it is not possible to summarize real-time searches. summaries inherently need to aggregate data, and it's most effective to aggregate data in bulk, not as it shows up in real time. Just create another job to summarize (or for report acceleration).

summary indexes are independent of their raw source data, but report-accelerated (automatic) summaries are not, and live and die with the raw source data.

0 Karma

sbsbb
Builder

My point ist I have big messages, and I want for each root element, get 3 or 4 fields, and store them, so I can have a quick search (and a dashboard), and only read the whole message, if I see a problem, how can I ashieve that ?
If I only make a scheduled search, I only have to wait until it is executed to have the data, I want to have it as soon as possible...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...