Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data model, saved search or summary index?

javiierg14
New Member
‎12-16-2017 02:19 PM

I need to know which of these methods is better for this scenario:

I have a big log of events that index 2.5 million of events every day, this log is a raw text that require a complex Regular Expression to get the fields and values, i have like 10 dashboard feeding from this log, one of them is a report view where me and my team search event with multiples filters that are dinamilly choose from tokens.

these reports takes to much time when the time range is seven day ago or more, it's very hard generate a report of the top 10 events, or the distributions of errors.

the problem is that the time range selected is very random, one day we need a today report, then a 3 months ago or especific day, I need a method to optimize this reports and reduce the duration of the jobs.

I have tried with make all the dashboard run a base search and then post process the results on each panel, this did'nt reduce the duration.

So, what you recommend, use a saved search, a summary index or data model?

keep in mind, the time range selected it's very variable

0 Karma
Reply

mayurr98
Super Champion
‎12-16-2017 08:07 PM

Saved search does not make any sense here as there are many reports and some of them might be token based which you can not accelerate.
Based on my experience, I would recommend you to use data model, as it is meant to process large amount of data in a rapid and efficient way. After building a data model you can accelerate it and make as many reports/dashboards you want.
To accelerate data model follow these steps:
To accelerate the data model go to the Data Model Manager page (it says "Data Models" at the top and has an Actions column; you get to it from the Data Model Editor page by clicking "Back to Data Models").

Click Edit and select Edit Permissions. Share the object with the App or All Apps. (Only shared objects can be accelerated.)

Click Edit again and click Edit Acceleration.

In the Edit Acceleration dialog select Accelerate and then select a Summary Range. Summary range is the amount of time that you need to be accelerated. The bigger the range, the more space the acceleration summary will take up on disk and the longer it will take to create, so don't choose a range that is longer than you need it to be. For example, if you don't plan to search over more than the last week or two, select a range of 1 Month.

I hope this helps you!

Save your acceleration changes. Your model is now accelerated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...