Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best practices for summary indexing

mansel_scheffel
Explorer
‎08-08-2016 08:09 AM

Hi,

I am trying to set up a bunch of summary indexes and was wondering if there are any best practices to follow? Is there a performance difference between the old way and the new way of SI? Also any general rules to follow that would apply whenever setting up a new summary.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 09:05 AM

Hello @michael.scheffel

Some good general rules to follow when creating a SI would be to know why you are running the SI and IF you can run the SI. What I mean by this is, how much will this impact your indexer(s) and how frequent do you want to run the populating searches? If you set up 20 SI's which run every 10 minutes but only have 1 indexer and compete with dozens of other users to run a search, then you are going to have a problem. I would first get an exact number of how many SI's you need to set up and if this will be a determining factor of the frequency you should run the searches. If you have a lot of people competing for resources then you should increase the frequency of your searches or think about running them when less people are searching. I would also reccomend putting alias's on your fields so if you have something like .. | stats sum(DailyTotal) then it should look like this .. | stats sum(DailyTotal) as DailyTotal

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎08-08-2016 01:08 PM

@mansel.scheffel

Please do not post the same question numerous times:
https://answers.splunk.com/answers/439482/what-are-best-practices-for-creating-summary-index.html
https://answers.splunk.com/answers/439485/summary-indexing-for-dashboard.html

You've already posted those 2 questions on this same topic, one of them with another account @mwdbhyat. This creates unnecessary clutter on the site and saturates search results. Please do not do this again and do not use multiple accounts on Answers. Choose only one to use from this point forward. I'm going to leave those 2 questions up because there are already valuable responses on there. Otherwise, they would be deleted immediately.

0 Karma
Reply
Solved! Jump to solution

sjohnson_splunk
Splunk Employee
Splunk Employee
‎08-08-2016 09:11 AM

Depending on what you are trying to do there are 3 techniques that are used to make historical searches run faster:

Summary indexing
Report acceleration
Data model acceleration

You should read this part of the knowledge management doc to help you pick the right technology:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Aboutsummaryindexing

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 09:05 AM

Hello @michael.scheffel

Some good general rules to follow when creating a SI would be to know why you are running the SI and IF you can run the SI. What I mean by this is, how much will this impact your indexer(s) and how frequent do you want to run the populating searches? If you set up 20 SI's which run every 10 minutes but only have 1 indexer and compete with dozens of other users to run a search, then you are going to have a problem. I would first get an exact number of how many SI's you need to set up and if this will be a determining factor of the frequency you should run the searches. If you have a lot of people competing for resources then you should increase the frequency of your searches or think about running them when less people are searching. I would also reccomend putting alias's on your fields so if you have something like .. | stats sum(DailyTotal) then it should look like this .. | stats sum(DailyTotal) as DailyTotal

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...