Reporting

Will a new-ingested but old-dated event be accelerated in DMA?

davietch
Path Finder

Hello,

 

I was wondering if a new event time-generated 1 month ago but indexed today (with the correct _time, meaning "a month ago") will be accelerated by the Summarization process?

Or is there a way to change the earliest time in the Summarization search for the Data Model Acceleration?

 

Thanks

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help. https://docs.splunk.com/Documentation/Splunk/8.1.0/Knowledge/Acceleratedatamodels

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Whether or not a particular event is included in a DMA depends on the summarization range of the DM.  If the range goes back at least a month then a new event dated a month ago will be included.

---
If this reply helps you, Karma would be appreciated.
0 Karma

davietch
Path Finder

Hello

Yes, assuming the range is at least a month big.

So that means the summarize search will have a default of "earliest" windows as 1 month? Because the event will be in a bucket named with epoch time of the event (i.e. <latest_event_epoch>_<earliest_event_epoch>_id). So the summarization search need to be able to search into that bucket.

Is there a documentation talking about this?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you looking for documentation about how datamodel acceleration finds events that arrived a month late?  There isn't anything that specific.

---
If this reply helps you, Karma would be appreciated.
0 Karma

davietch
Path Finder

I was just thinking about some docs describing how the summarization search works and how it can be tuned.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this will help. https://docs.splunk.com/Documentation/Splunk/8.1.0/Knowledge/Acceleratedatamodels

---
If this reply helps you, Karma would be appreciated.
0 Karma

davietch
Path Finder

Hello,

Yes I found this sentence : "This method of summary building also ensures that late-arriving data is summarized without complication."

But without real explanation.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...