Splunk Search

Best practices for summary indexing

Hi,

I am trying to set up a bunch of summary indexes and was wondering if there are any best practices to follow? Is there a performance difference between the old way and the new way of SI? Also any general rules to follow that would apply whenever setting up a new summary.

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hello @michael.scheffel

Some good general rules to follow when creating a SI would be to know why you are running the SI and IF you can run the SI. What I mean by this is, how much will this impact your indexer(s) and how frequent do you want to run the populating searches? If you set up 20 SI's which run every 10 minutes but only have 1 indexer and compete with dozens of other users to run a search, then you are going to have a problem. I would first get an exact number of how many SI's you need to set up and if this will be a determining factor of the frequency you should run the searches. If you have a lot of people competing for resources then you should increase the frequency of your searches or think about running them when less people are searching. I would also reccomend putting alias's on your fields so if you have something like .. | stats sum(DailyTotal) then it should look like this .. | stats sum(DailyTotal) as DailyTotal

View solution in original post

0 Karma

Community Manager
Community Manager

@mansel.scheffel

Please do not post the same question numerous times:
https://answers.splunk.com/answers/439482/what-are-best-practices-for-creating-summary-index.html
https://answers.splunk.com/answers/439485/summary-indexing-for-dashboard.html

You've already posted those 2 questions on this same topic, one of them with another account @mwdbhyat. This creates unnecessary clutter on the site and saturates search results. Please do not do this again and do not use multiple accounts on Answers. Choose only one to use from this point forward. I'm going to leave those 2 questions up because there are already valuable responses on there. Otherwise, they would be deleted immediately.

0 Karma

Splunk Employee
Splunk Employee

Depending on what you are trying to do there are 3 techniques that are used to make historical searches run faster:

Summary indexing
Report acceleration
Data model acceleration

You should read this part of the knowledge management doc to help you pick the right technology:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Aboutsummaryindexing

0 Karma

SplunkTrust
SplunkTrust

Hello @michael.scheffel

Some good general rules to follow when creating a SI would be to know why you are running the SI and IF you can run the SI. What I mean by this is, how much will this impact your indexer(s) and how frequent do you want to run the populating searches? If you set up 20 SI's which run every 10 minutes but only have 1 indexer and compete with dozens of other users to run a search, then you are going to have a problem. I would first get an exact number of how many SI's you need to set up and if this will be a determining factor of the frequency you should run the searches. If you have a lot of people competing for resources then you should increase the frequency of your searches or think about running them when less people are searching. I would also reccomend putting alias's on your fields so if you have something like .. | stats sum(DailyTotal) then it should look like this .. | stats sum(DailyTotal) as DailyTotal

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!