Splunk Search

If summary searches run every 5 minutes, can a non-summary search be merged with the summary to fill-in the most recent 5 minutes?

Contributor

Summary searches occur every 5 mins but for those who need more immediate results can a non-summary search be merged with the summary to fill-in the most recent 5 mins? Would this make a difference in efficiency for a scheduled search that searches an hour back?

index=weblogsummary latest=-5m@m HTTPRESPONSE="40" URL="" | append [|search index="weblog" earliest=-5m@m HTTP_RESPONSE="40" URL=""]

0 Karma
1 Solution

SplunkTrust
SplunkTrust

That sounds very much like report acceleration / data model acceleration. Both ways accelerate a search every X minutes and load the most recent minutes on the fly transparently without the user noticing.

As for the question itself, sure - just remember to apply whatever reporting happened to the summary search in the last-five-minutes-search as well.

View solution in original post

SplunkTrust
SplunkTrust

That sounds very much like report acceleration / data model acceleration. Both ways accelerate a search every X minutes and load the most recent minutes on the fly transparently without the user noticing.

As for the question itself, sure - just remember to apply whatever reporting happened to the summary search in the last-five-minutes-search as well.

View solution in original post