How exactly does Report, Data acceleration and Summary indexing work? Could someone explain to me in layman terms please? I understand it helps maximize efficiency in searches by searching on a subset of data, making it quicker etc.
But I don't really get how it works and what people refer to when they say data summary being built in report acceleration context (i.e. Splunk software runs a background process that builds a data summary based on the results returned by the report.)
Thanks!
basically, report acceleration , in a sense, saves search results for a rolling period of time making reports and report-based dashboard panels run faster. there are caveats as far was what types of reports can be accelerated, though.
for instance, index=_internal|stats count by _time
runs every morning for a time period of 7 days. every day, the oldest day will fall off and a new day will be added.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Manageacceleratedsearchsummaries
summary indexing basically adds onto the existing data of the search you ran and is set up like a saved search.
for example, index=_internal|stats count by _time
runs every week for a time period of 7 days. those 7 days will tack onto the end of the report and you'll have much more data to work with.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usesummaryindexing
basically, report acceleration , in a sense, saves search results for a rolling period of time making reports and report-based dashboard panels run faster. there are caveats as far was what types of reports can be accelerated, though.
for instance, index=_internal|stats count by _time
runs every morning for a time period of 7 days. every day, the oldest day will fall off and a new day will be added.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Manageacceleratedsearchsummaries
summary indexing basically adds onto the existing data of the search you ran and is set up like a saved search.
for example, index=_internal|stats count by _time
runs every week for a time period of 7 days. those 7 days will tack onto the end of the report and you'll have much more data to work with.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Usesummaryindexing
There is also a good overview of the three types of acceleration in the Knowledge Manager Manual. See Overview of summary-based search and pivot acceleration.