Splunk Enterprise Security
Highlighted

Why do correlation searches in Enterprise Security not use "summariesOnly=true"?

Super Champion

hi,

I was looking into the out-of-box Splunk correlation searches in Splunk Enterprise Security (ES) and it contains allow_old_summaries=true and not summariesOnly=true. Both give me the same set of results.

Time required to run the original Splunk Searches takes me >220 seconds, but with summariesOnly=true, it gives me exactly same output in 8 seconds. So was thinking why Splunk didn't do it in first place? Will data be missed if I use summariesOnly=true?

0 Karma
Highlighted

Re: Why do correlation searches in Enterprise Security not use "summariesOnly=true"?

Contributor

When you add the summariesonly=t flag, this tells the data model only to look at existing accelerated data (tsidx.) If you dont have acceleration configured, or it hasnt run fully, then you wont get results.

From https://answers.splunk.com/answers/301913/where-and-when-do-we-use-summariesonlyt-with-datam.html

also

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

View solution in original post

Highlighted

Re: Why do correlation searches in Enterprise Security not use "summariesOnly=true"?

Super Champion

Thank you. So that means if we have accelerated data models(eg SplunkTACIM), it is good enough to use "summariesonly=t"

0 Karma