- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Is there a way to configure an index to retain sum...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello splunk users,
I have some new-by questions about accelerated reports. I have accelerated a report simply by clicking on "Accelerate Report".
Good! It works!
With Report Acceleration, the "accelerated" data lives alongside the raw data it summarizes. When that data is deleted, the summarized data goes with it. (see at https://answers.splunk.com/answers/103736/report-acceleration-does-all-time-retain-summarized-data-a...)
Is there a way to configure the index to maintain his summarized data longer than normal raw data? The attribute "frozenTimePeriodInSecs" is valid for all indexed data. Maybe there is a way to configure it only for summarized data.
Thank you very much
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you cannot keep Report Acceleration Summaries longer than the underlying data that they summarize. The summaries need the underlying data in order to function properly.
However, if you want to store summary data longer than the original data, you might be able to use Summary Indexing. As an example, let's say that you are currently indexing the error logs for a bunch of devices in your network. For 90 days, you need access to the individual incidents, but after that all you need is to be able to trace the number of errors per day by device. A good solution would be to run a search every day that calculates the number of errors by device for the previous day - and stores that calculation in a summary index. If you set the retention to 2 years for the summary index, then you could report based on the daily counts long after the individual events had been removed from the original index.
You might want to read more about Using Summary Indexing in the documentation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you cannot keep Report Acceleration Summaries longer than the underlying data that they summarize. The summaries need the underlying data in order to function properly.
However, if you want to store summary data longer than the original data, you might be able to use Summary Indexing. As an example, let's say that you are currently indexing the error logs for a bunch of devices in your network. For 90 days, you need access to the individual incidents, but after that all you need is to be able to trace the number of errors per day by device. A good solution would be to run a search every day that calculates the number of errors by device for the previous day - and stores that calculation in a summary index. If you set the retention to 2 years for the summary index, then you could report based on the daily counts long after the individual events had been removed from the original index.
You might want to read more about Using Summary Indexing in the documentation.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
