Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best and most economical method for keeping a continuously maintained reference of historical values?

DrFedtke
Explorer
‎08-19-2015 03:28 AM

Hi all,

We want to compare "today" values in real-time with some aggregatedvalues of yesterday ("day -1"), "day -2", "week mean value", ... etc.

Instead of keeping all the old data (causing volume) to calculate all these reference values anew each day, we want to determine day-related totals, mean values, etc. each day at 1am, and store these values in a kind of "reference table". This allows us to delete old data. Deviations of the real-time monitoring are calculated by referring to that reference table.

What is the best way to realize such a mechanism in Splunk?

Is a lookup table the best choice for keeping the "day(-1)",
... histories? or is there any better method?

Thanks for any tip, link, or sample code.

best, and thanks to all
Caspar

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-22-2015 06:15 AM

I second bmacias84's thought, a summary index sounds like exactly what you need. For a very small, isolated set a lookup table would work fine, but what I've found is that as soon as you implement that, you'll realize you also want per hour history, per week, maybe per minute... and it snowballs out of easy manageability.

In addition to his link for the official documentation on Configuring Summary Indexes, I'd recommend an additional resource: Go to the .Conf 2013 session page here and watch the breakout session "Automating Operational Intelligence: Stats and Summary Indexes" by Jesse Trucks. It is a great run-through of creating one.

0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2015 01:37 PM

If the no of aggregated values for each day is very small, you can use lookup table for faster response. You'd have to create a scheduled search to run daily and append yesterday's aggregated to the lookup table.

Reply

bmacias84
Champion
‎08-19-2015 09:43 AM

using Summary indexing with sistats or sitimechart.

http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Configuresummaryindexes

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...