Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Best practices for summary indexing

mansel_scheffel
Explorer
‎08-08-2016 08:09 AM

Hi,

I am trying to set up a bunch of summary indexes and was wondering if there are any best practices to follow? Is there a performance difference between the old way and the new way of SI? Also any general rules to follow that would apply whenever setting up a new summary.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 09:05 AM

Hello @michael.scheffel

Some good general rules to follow when creating a SI would be to know why you are running the SI and IF you can run the SI. What I mean by this is, how much will this impact your indexer(s) and how frequent do you want to run the populating searches? If you set up 20 SI's which run every 10 minutes but only have 1 indexer and compete with dozens of other users to run a search, then you are going to have a problem. I would first get an exact number of how many SI's you need to set up and if this will be a determining factor of the frequency you should run the searches. If you have a lot of people competing for resources then you should increase the frequency of your searches or think about running them when less people are searching. I would also reccomend putting alias's on your fields so if you have something like .. | stats sum(DailyTotal) then it should look like this .. | stats sum(DailyTotal) as DailyTotal

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎08-08-2016 01:08 PM

@mansel.scheffel

Please do not post the same question numerous times:
https://answers.splunk.com/answers/439482/what-are-best-practices-for-creating-summary-index.html
https://answers.splunk.com/answers/439485/summary-indexing-for-dashboard.html

You've already posted those 2 questions on this same topic, one of them with another account @mwdbhyat. This creates unnecessary clutter on the site and saturates search results. Please do not do this again and do not use multiple accounts on Answers. Choose only one to use from this point forward. I'm going to leave those 2 questions up because there are already valuable responses on there. Otherwise, they would be deleted immediately.

0 Karma
Reply
Solved! Jump to solution

sjohnson_splunk
Splunk Employee
Splunk Employee
‎08-08-2016 09:11 AM

Depending on what you are trying to do there are 3 techniques that are used to make historical searches run faster:

Summary indexing
Report acceleration
Data model acceleration

You should read this part of the knowledge management doc to help you pick the right technology:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Aboutsummaryindexing

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-08-2016 09:05 AM

Hello @michael.scheffel

Some good general rules to follow when creating a SI would be to know why you are running the SI and IF you can run the SI. What I mean by this is, how much will this impact your indexer(s) and how frequent do you want to run the populating searches? If you set up 20 SI's which run every 10 minutes but only have 1 indexer and compete with dozens of other users to run a search, then you are going to have a problem. I would first get an exact number of how many SI's you need to set up and if this will be a determining factor of the frequency you should run the searches. If you have a lot of people competing for resources then you should increase the frequency of your searches or think about running them when less people are searching. I would also reccomend putting alias's on your fields so if you have something like .. | stats sum(DailyTotal) then it should look like this .. | stats sum(DailyTotal) as DailyTotal

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...