Knowledge Management

summary indexes + metrics in Splunk 7.0.0

ykpramodhcbt
Path Finder

Hi,

We currently use 6.6.2 and we rely on summary indexes to avoid recalculation of old data.

We want to evaluate Splunk 7's metrics but we find that summary indexes are not supported. Is there any alternative for us to use metrics and store previous calculations in summary indexes? We tried KV Store for this purpose earlier and there was lot of performance impact.

regards
Pramodh

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

This is because in 7, we introduced a new type of index, which is for metrics. This is a very condensed index, and there is very little data stored in these. More akin to a summary index in regards to the size of each event, there will only, in general be the following fields (which act as indexed fields)

Timestamp
Source
Sourcetype
Host
Metric Name
Value
and Dimensions

Read up here : https://docs.splunk.com/Documentation/Splunk/7.0.0/Metrics/Overview

You also see that you have to use a different set of commands to work with Metrics ( mstats and mcatalog) See here : https://docs.splunk.com/Documentation/Splunk/7.0.0/Metrics/Search

In general, performance will be similar, and actually much faster then a summary index. And that is because the metrics treats these events as indexed fields. Akin to the tstats command.

So in answer to your question, Summary indexes are not support as MEtric index types. However, you can aggregate events from the Metrics indexes with the mstats command, and then collect these to a Summary Index, in the same way you do now..

Hope that helps..

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

This is because in 7, we introduced a new type of index, which is for metrics. This is a very condensed index, and there is very little data stored in these. More akin to a summary index in regards to the size of each event, there will only, in general be the following fields (which act as indexed fields)

Timestamp
Source
Sourcetype
Host
Metric Name
Value
and Dimensions

Read up here : https://docs.splunk.com/Documentation/Splunk/7.0.0/Metrics/Overview

You also see that you have to use a different set of commands to work with Metrics ( mstats and mcatalog) See here : https://docs.splunk.com/Documentation/Splunk/7.0.0/Metrics/Search

In general, performance will be similar, and actually much faster then a summary index. And that is because the metrics treats these events as indexed fields. Akin to the tstats command.

So in answer to your question, Summary indexes are not support as MEtric index types. However, you can aggregate events from the Metrics indexes with the mstats command, and then collect these to a Summary Index, in the same way you do now..

Hope that helps..

Splunksc
Loves-to-Learn

Can we delete this metrics index? How can we disable this index or sourcetype? It is consuming 20 GB of license for us and we do not find any additional functionality with this?

0 Karma

ddrillic
Ultra Champion

Much appreciated @esix - the Vignette people among us would appreciate any additional caching features of the product.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Caching in regards to what?

0 Karma

ddrillic
Ultra Champion

no worries - I call these features caching features as this is my background and that's the way I perceive them.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...