Solved: Re: summary Index

vijaysri · ‎03-31-2021

Hi,

how will summary index actually work in relation to 'time based searches'

maybe the summary index could have no time value on each record?

We are replacing a lookup with a summary index.

we have 2000 entries in the lookup --> those entries will be pushed to summary index via a scheduled search

The lookup will be updated daily --> The updated data will go to summary Index

What will happen to old data that is already there in the summary Index?

manjunathmeti · ‎03-31-2021

hi @vijaysri,

Summary index events do have timestamps.

if your saved search results contain a _time field then the timestamp will be set to this field values in the summary index. If _time is not there then timestamp is set to the CURRENT time(when data is parsed) in the summary index.

Retention for the summary index is 5 years and the max data size is 500GB.

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎03-31-2021

hi @vijaysri,

Summary index events do have timestamps.

if your saved search results contain a _time field then the timestamp will be set to this field values in the summary index. If _time is not there then timestamp is set to the CURRENT time(when data is parsed) in the summary index.

Retention for the summary index is 5 years and the max data size is 500GB.

If this reply helps you, a like would be appreciated.

summary Index

metadata

stats

subsearch

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!