How exactly does Report, Data acceleration and Summary indexing work? Could someone explain to me in layman terms please? I understand it helps maximize efficiency in searches by searching on a subset of data, making it quicker etc.
But I don't really get how it works and what people refer to when they say data summary being built in report acceleration context (i.e. Splunk software runs a background process that builds a data summary based on the results returned by the report.)
basically, report acceleration , in a sense, saves search results for a rolling period of time making reports and report-based dashboard panels run faster. there are caveats as far was what types of reports can be accelerated, though.
index=_internal|stats count by _timeruns every morning for a time period of 7 days. every day, the oldest day will fall off and a new day will be added.
summary indexing basically adds onto the existing data of the search you ran and is set up like a saved search.
index=_internal|stats count by _timeruns every week for a time period of 7 days. those 7 days will tack onto the end of the report and you'll have much more data to work with.