Hello splunk users,
I have some new-by questions about accelerated reports. I have accelerated a report simply by clicking on "Accelerate Report".
Good! It works!
With Report Acceleration, the "accelerated" data lives alongside the raw data it summarizes. When that data is deleted, the summarized data goes with it. (see at https://answers.splunk.com/answers/103736/report-acceleration-does-all-time-retain-summarized-data-a...)
Is there a way to configure the index to maintain his summarized data longer than normal raw data? The attribute "frozenTimePeriodInSecs" is valid for all indexed data. Maybe there is a way to configure it only for summarized data.
Thank you very much
Best Regards
No, you cannot keep Report Acceleration Summaries longer than the underlying data that they summarize. The summaries need the underlying data in order to function properly.
However, if you want to store summary data longer than the original data, you might be able to use Summary Indexing. As an example, let's say that you are currently indexing the error logs for a bunch of devices in your network. For 90 days, you need access to the individual incidents, but after that all you need is to be able to trace the number of errors per day by device. A good solution would be to run a search every day that calculates the number of errors by device for the previous day - and stores that calculation in a summary index. If you set the retention to 2 years for the summary index, then you could report based on the daily counts long after the individual events had been removed from the original index.
You might want to read more about Using Summary Indexing in the documentation.
No, you cannot keep Report Acceleration Summaries longer than the underlying data that they summarize. The summaries need the underlying data in order to function properly.
However, if you want to store summary data longer than the original data, you might be able to use Summary Indexing. As an example, let's say that you are currently indexing the error logs for a bunch of devices in your network. For 90 days, you need access to the individual incidents, but after that all you need is to be able to trace the number of errors per day by device. A good solution would be to run a search every day that calculates the number of errors by device for the previous day - and stores that calculation in a summary index. If you set the retention to 2 years for the summary index, then you could report based on the daily counts long after the individual events had been removed from the original index.
You might want to read more about Using Summary Indexing in the documentation.