Other Usage

Can I set accelerated reports timespan to be longer than the index typically holds data?

thisissplunk
Builder

If my index rolls off data at 30 days, and I run an accelerated report every day to build a summary for that day, will the summary have data going back a year eventually? Or is it limited to 30 days because of my index setting?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, report accelerations, like datamodel accelerations, save their results in a location within the index in which the base data is located.  Accelerations are a kind of scheduled search that rebuilds the summary information regularly.

The summaries can't be used because they age off when the underlying data ages off.

Data written to a summary index (using the collect command) is completely separate from original data so it ages at a different rate.  If you need to keep summary data longer than the raw data then you need a summary index.  Summary indexes tend to be faster than other indexes because they store less data so searches run faster.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Data in a summary index is independent of data in other index(es).  Your summary data will be retained for a year.

---
If this reply helps you, Karma would be appreciated.
0 Karma

thisissplunk
Builder

Thanks. It just feels weird that using a specifically crafted stats command magically accesses an accelerated report's data and not the index data I'm specifying in the query.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I may have misunderstood the question.  Accelerated reports age at the same rate as the base data.

Data saved in a summary index ages at the rate specified for that summary index.

What do you mean by "specifically crafted stats command"?

---
If this reply helps you, Karma would be appreciated.
0 Karma

thisissplunk
Builder

What I mean is that accelerated reports are confusing as hell:

1. You can make a saved report accelerated and it will build some kind of seperate summary data on the side

2. You don't use that saved report anymore to fill up the accelerated report's data/index/whatever like you do with summary indexing. Accelerated reports just build something magically

3. You "use" the accelerated report's summary data by running a query that has the exact same stats command on the exact same data that the accelerated report uses.

Which makes me wonder what accelerated reporting is building on the side and why it can't be used after the normal data ages off.

I guess it's just supplemental to the normal indexed data, unlke summary indexing which is wholly seperate?

Our use case is that we need to save some data for a year when our normal data ages off in 30 days. Having it be as fast as possible would be nice too.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, report accelerations, like datamodel accelerations, save their results in a location within the index in which the base data is located.  Accelerations are a kind of scheduled search that rebuilds the summary information regularly.

The summaries can't be used because they age off when the underlying data ages off.

Data written to a summary index (using the collect command) is completely separate from original data so it ages at a different rate.  If you need to keep summary data longer than the raw data then you need a summary index.  Summary indexes tend to be faster than other indexes because they store less data so searches run faster.

---
If this reply helps you, Karma would be appreciated.
0 Karma

thisissplunk
Builder

Thanks for confirming. Summary indexing is what we will need for our requirements then. I guess we can accelerate those indexes later as well for additional speed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...