Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple summary indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to schedule daily jobs for summary indexing.. There are 6 of the same jobs (licence usage over a month(3) & day(3) for 3 separate indexes that populate a dashboard). I was thinking of scheduling the monthly usage to run daily, and daily usage to run each hour?
Should I create a separate summary index for each of the 6?
Do they all need to run at separate times (set schedule window)?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a separate summary index if you want to, but you probably don't need to. You create a new summary index for generally the same reasons you create a new index: access control, retention period, and volume.
In our case, we have most summary searches all writing to the same summary index, and then separate summary indexes for 1) very high volume summarizations (millions of events per day), and 2) summarizations of events from security indexes.
It sounds like you have 6 jobs, but you might only need two. You should be able to consolidate the searches and then use the fields in the summary data at search time to create each dashboard. You can stagger the searches and/or use the window option to schedule the searches so the load distributes more evenly.
Also be mindful of your search interval vs your search time range. If you are summarizing, they probably should be equal. If I was going to create a monthly report, for example, I'd probably schedule the search to run daily and summarize the previous day's events. Then in my dashboard, I'd use those daily values to build a monthly total.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a separate summary index if you want to, but you probably don't need to. You create a new summary index for generally the same reasons you create a new index: access control, retention period, and volume.
In our case, we have most summary searches all writing to the same summary index, and then separate summary indexes for 1) very high volume summarizations (millions of events per day), and 2) summarizations of events from security indexes.
It sounds like you have 6 jobs, but you might only need two. You should be able to consolidate the searches and then use the fields in the summary data at search time to create each dashboard. You can stagger the searches and/or use the window option to schedule the searches so the load distributes more evenly.
Also be mindful of your search interval vs your search time range. If you are summarizing, they probably should be equal. If I was going to create a monthly report, for example, I'd probably schedule the search to run daily and summarize the previous day's events. Then in my dashboard, I'd use those daily values to build a monthly total.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
