- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If I delete all accelerated searches inside a summ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a massive summary index that contains multiple searches that I have selected to use acceleration.
Instead of deleting the summary index, if I deleted all the searches inside the index, would it delete the summary as well?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are no "searches" stored inside a summary index. The summary index contains the results of populating searches that have been run in the past. If you disable the populating searches, so that they no longer run on a schedule, you will stop adding new data to the summary index.
This will not delete the data in the summary index however; it would still exist until it ages out based on the index settings. While you could try to figure out which populating searches created which events and then delete them - it probably isn't worth the effort: the delete command does not recover the disk space.
I recommend that you
1) set up the new searches that you need, and use report acceleration
2) disable the unneeded searches that populate and report on the summary index
3) over time, the data in the summary index will age out, and only the actual summary information that you continue to use will remain
If you want, you can set the summary index settings to restrict the amount of space used by the summary index, or to set time-based retention. These settings are the same for a summary index as any other index, and can be set in indexes.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are no "searches" stored inside a summary index. The summary index contains the results of populating searches that have been run in the past. If you disable the populating searches, so that they no longer run on a schedule, you will stop adding new data to the summary index.
This will not delete the data in the summary index however; it would still exist until it ages out based on the index settings. While you could try to figure out which populating searches created which events and then delete them - it probably isn't worth the effort: the delete command does not recover the disk space.
I recommend that you
1) set up the new searches that you need, and use report acceleration
2) disable the unneeded searches that populate and report on the summary index
3) over time, the data in the summary index will age out, and only the actual summary information that you continue to use will remain
If you want, you can set the summary index settings to restrict the amount of space used by the summary index, or to set time-based retention. These settings are the same for a summary index as any other index, and can be set in indexes.conf
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
