Suppose you have the following scenario:
Now, suppose your requirement is if a report is re-generated for Feb 5, 2011, it must match the original results, ignoring any of the new data for Feb 5 that came in and got indexed afterward.
Is there a way to do this in Splunk? If so, what would be the most efficient way? Summary Indexing, perhaps?
To do this base your report off of a scheduled search. Keep those results around for a week or longer depending on the time window here and have that report load from cache in a dashboard.
Also consider setting up the search as a pdf alert, then you have the pdf frozen in time, and accessible afterward.
One way might be to run a daily report that summarizes the report statistics into the summary index (different index) and then from that point forward, you would recreate the report from the summary index instead of the raw events in main index, thus avoiding the possibility of including the extra events that got indexed late.
you could probably also add in a new field called "reportdate" into the summary report with the text-based date value like "Feb 5, 2001" and then search on that field.