Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If I delete all accelerated searches inside a summary index, would it delete the summary as well?

mmensch
Path Finder
‎12-08-2015 08:00 AM

I have a massive summary index that contains multiple searches that I have selected to use acceleration.

Instead of deleting the summary index, if I deleted all the searches inside the index, would it delete the summary as well?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-08-2015 04:58 PM

There are no "searches" stored inside a summary index. The summary index contains the results of populating searches that have been run in the past. If you disable the populating searches, so that they no longer run on a schedule, you will stop adding new data to the summary index.

This will not delete the data in the summary index however; it would still exist until it ages out based on the index settings. While you could try to figure out which populating searches created which events and then delete them - it probably isn't worth the effort: the delete command does not recover the disk space.

I recommend that you
1) set up the new searches that you need, and use report acceleration
2) disable the unneeded searches that populate and report on the summary index
3) over time, the data in the summary index will age out, and only the actual summary information that you continue to use will remain

If you want, you can set the summary index settings to restrict the amount of space used by the summary index, or to set time-based retention. These settings are the same for a summary index as any other index, and can be set in indexes.conf

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-08-2015 04:58 PM

There are no "searches" stored inside a summary index. The summary index contains the results of populating searches that have been run in the past. If you disable the populating searches, so that they no longer run on a schedule, you will stop adding new data to the summary index.

This will not delete the data in the summary index however; it would still exist until it ages out based on the index settings. While you could try to figure out which populating searches created which events and then delete them - it probably isn't worth the effort: the delete command does not recover the disk space.

I recommend that you
1) set up the new searches that you need, and use report acceleration
2) disable the unneeded searches that populate and report on the summary index
3) over time, the data in the summary index will age out, and only the actual summary information that you continue to use will remain

If you want, you can set the summary index settings to restrict the amount of space used by the summary index, or to set time-based retention. These settings are the same for a summary index as any other index, and can be set in indexes.conf

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...