Splunk Search

Does charting data age out over time?

Dimitri_McKay
Splunk Employee
Splunk Employee

Does the charting data "age" like RRD data (as an example: a 5 minute sample rate gets turned into a 15 minute average after a week, a 30 minute one after two, etc...)? Is the chart data indexed separately from the logs or do you lose data that is from buckets that have been rotated to cold/frozen storage?

0 Karma
1 Solution

Dimitri_McKay
Splunk Employee
Splunk Employee

NO, charting data is typically the same data as raw. That is, all data to splunk is first class. That said, you can either create summary indexes and then use them to deal with a all-->5m-->15m-->30m type scenario. I have had many customer do so, but in the end, the 5.0 report acceleration probably accomplishes enough and saves you the effort. NO, data is not lost as it is moved from Hot/Warm to Cold, but yes, as data is frozen, we remove the index file and keep the raw. If/when it is restored, the rebuild process is part of that. This keeps the frozen files MUCH smaller.

View solution in original post

Dimitri_McKay
Splunk Employee
Splunk Employee

NO, charting data is typically the same data as raw. That is, all data to splunk is first class. That said, you can either create summary indexes and then use them to deal with a all-->5m-->15m-->30m type scenario. I have had many customer do so, but in the end, the 5.0 report acceleration probably accomplishes enough and saves you the effort. NO, data is not lost as it is moved from Hot/Warm to Cold, but yes, as data is frozen, we remove the index file and keep the raw. If/when it is restored, the rebuild process is part of that. This keeps the frozen files MUCH smaller.

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...