Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do Accelerated Searches work with retention policies?

Ricapar
Communicator
‎01-14-2013 11:21 AM

I'm trying to plan out retention policies, and I'm unsure about how they play alongside searches that I've marked as accelerated.

For example, if I have simple saved search like this, marked as accelerated:

index=mydata | timechart span=1d count by host

Search runs over the past year's data.

If the retention policy sets something like this in indexes.conf:

# Freeze after 90 days
frozenTimePeriodInSecs = 7776000

What happens there? Will the search acceleration keep the summarized data, and (eventually) let me see the "| timechart count by host" chart, even after the data has been frozen (deleted)?

If not... How would I go about doing something like that?

Reply

bandit
Motivator
‎11-16-2016 04:06 PM

hmm... possibly we can mix tsidx reduction introduced in 6.4.0 with report acceleration?
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Reducetsidxdiskusage

I'm thinking of something like the following:
- increase index retention from 2 months to 6 months. (i'm expecting this to increase disk utilization)
- use tsidx reduction (hoping this will reduce my disk utilization to somewhat offset the increase in retention time)
- enable report acceleration

Wondering if I would get 6 months of acceleration???

0 Karma
Reply

mattness
Splunk Employee
Splunk Employee
‎01-15-2013 02:21 PM

Unfortunately, frozen data is frozen--Splunk cannot include it in report acceleration summaries, because report acceleration summaries are tied to the indexed data at the index bucket level (they live in your primary index, in other words).

So you have two choices. If you want to use report acceleration over a year's span, you'll need to extend your retention policy from 90 days to a year. But if you can't do that, you might try summary indexing instead. This process summarizes your data in a separate summary index that can have a different retention policy than your primary index, or no retention policy at all.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing

Reply

bandit
Motivator
‎11-16-2016 02:20 PM

Would be really cool if we could get independent retention for acceleration summaries in a future version of Splunk. Who wants to go back to summary indexes?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...