I have a couple of fields that I want to being able to search very quickly, because they are in XML files, and at search-time it takes too long.
So I thought, the best way is to extract this fields at index-time...
Now My questions :
- can I make a real-time search on that index fields ? (I've seen the normal way for splunk is to do realtime search directly before the indexer has done his job, but if I'm indexing the fields anyway, it make sense to search on that).
is it possible to automatically index the results of a real-time search as summary, so I can see on the one hand the actual situation on a real-time dashboard, and on the other hand, I'm able to request the same information from yesterday for example (without having to compute the result anymore) ?
Is it possible to define how long each indexed summary is kept ? The same for index database table ? Can I keep a summary longer as the indexed Datasource ?
Could you also say me what solution for that I have in 4.3.3 and 5 ?
it is most likely not helpful for you to create index-time fields to improve search speed. there are probably more effective methods, but that would depend on your data and the query.
it is not possible to summarize real-time searches. summaries inherently need to aggregate data, and it's most effective to aggregate data in bulk, not as it shows up in real time. Just create another job to summarize (or for report acceleration).
summary indexes are independent of their raw source data, but report-accelerated (automatic) summaries are not, and live and die with the raw source data.
My point ist I have big messages, and I want for each root element, get 3 or 4 fields, and store them, so I can have a quick search (and a dashboard), and only read the whole message, if I see a problem, how can I ashieve that ?
If I only make a scheduled search, I only have to wait until it is executed to have the data, I want to have it as soon as possible...