Splunk Search

If I delete all accelerated searches inside a summary index, would it delete the summary as well?

mmensch
Path Finder

I have a massive summary index that contains multiple searches that I have selected to use acceleration.

Instead of deleting the summary index, if I deleted all the searches inside the index, would it delete the summary as well?

Thanks

0 Karma
1 Solution

lguinn2
Legend

There are no "searches" stored inside a summary index. The summary index contains the results of populating searches that have been run in the past. If you disable the populating searches, so that they no longer run on a schedule, you will stop adding new data to the summary index.

This will not delete the data in the summary index however; it would still exist until it ages out based on the index settings. While you could try to figure out which populating searches created which events and then delete them - it probably isn't worth the effort: the delete command does not recover the disk space.

I recommend that you
1) set up the new searches that you need, and use report acceleration
2) disable the unneeded searches that populate and report on the summary index
3) over time, the data in the summary index will age out, and only the actual summary information that you continue to use will remain

If you want, you can set the summary index settings to restrict the amount of space used by the summary index, or to set time-based retention. These settings are the same for a summary index as any other index, and can be set in indexes.conf

View solution in original post

lguinn2
Legend

There are no "searches" stored inside a summary index. The summary index contains the results of populating searches that have been run in the past. If you disable the populating searches, so that they no longer run on a schedule, you will stop adding new data to the summary index.

This will not delete the data in the summary index however; it would still exist until it ages out based on the index settings. While you could try to figure out which populating searches created which events and then delete them - it probably isn't worth the effort: the delete command does not recover the disk space.

I recommend that you
1) set up the new searches that you need, and use report acceleration
2) disable the unneeded searches that populate and report on the summary index
3) over time, the data in the summary index will age out, and only the actual summary information that you continue to use will remain

If you want, you can set the summary index settings to restrict the amount of space used by the summary index, or to set time-based retention. These settings are the same for a summary index as any other index, and can be set in indexes.conf

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...