Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Multiple summary indexes

mansel_scheffel
Explorer
‎07-27-2016 01:31 AM

Hi,

I need to schedule daily jobs for summary indexing.. There are 6 of the same jobs (licence usage over a month(3) & day(3) for 3 separate indexes that populate a dashboard). I was thinking of scheduling the monthly usage to run daily, and daily usage to run each hour?

Should I create a separate summary index for each of the 6?

Do they all need to run at separate times (set schedule window)?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎07-27-2016 07:15 AM

You can create a separate summary index if you want to, but you probably don't need to. You create a new summary index for generally the same reasons you create a new index: access control, retention period, and volume.

In our case, we have most summary searches all writing to the same summary index, and then separate summary indexes for 1) very high volume summarizations (millions of events per day), and 2) summarizations of events from security indexes.

It sounds like you have 6 jobs, but you might only need two. You should be able to consolidate the searches and then use the fields in the summary data at search time to create each dashboard. You can stagger the searches and/or use the window option to schedule the searches so the load distributes more evenly.

Also be mindful of your search interval vs your search time range. If you are summarizing, they probably should be equal. If I was going to create a monthly report, for example, I'd probably schedule the search to run daily and summarize the previous day's events. Then in my dashboard, I'd use those daily values to build a monthly total.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎07-27-2016 07:15 AM

You can create a separate summary index if you want to, but you probably don't need to. You create a new summary index for generally the same reasons you create a new index: access control, retention period, and volume.

In our case, we have most summary searches all writing to the same summary index, and then separate summary indexes for 1) very high volume summarizations (millions of events per day), and 2) summarizations of events from security indexes.

It sounds like you have 6 jobs, but you might only need two. You should be able to consolidate the searches and then use the fields in the summary data at search time to create each dashboard. You can stagger the searches and/or use the window option to schedule the searches so the load distributes more evenly.

Also be mindful of your search interval vs your search time range. If you are summarizing, they probably should be equal. If I was going to create a monthly report, for example, I'd probably schedule the search to run daily and summarize the previous day's events. Then in my dashboard, I'd use those daily values to build a monthly total.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...