Solved: summary Index

VijaySrrie · ‎03-31-2021

Hi,

how will summary index actually work in relation to 'time based searches'

maybe the summary index could have no time value on each record?

We are replacing a lookup with a summary index.

we have 2000 entries in the lookup --> those entries will be pushed to summary index via a scheduled search

The lookup will be updated daily --> The updated data will go to summary Index

What will happen to old data that is already there in the summary Index?

manjunathmeti · ‎03-31-2021

hi @VijaySrrie,

Summary index events do have timestamps.

if your saved search results contain a _time field then the timestamp will be set to this field values in the summary index. If _time is not there then timestamp is set to the CURRENT time(when data is parsed) in the summary index.

Retention for the summary index is 5 years and the max data size is 500GB.

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎03-31-2021

hi @VijaySrrie,

Summary index events do have timestamps.

if your saved search results contain a _time field then the timestamp will be set to this field values in the summary index. If _time is not there then timestamp is set to the CURRENT time(when data is parsed) in the summary index.

Retention for the summary index is 5 years and the max data size is 500GB.

If this reply helps you, a like would be appreciated.

summary Index

metadata

stats

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation