Hi 🙂 i'm new hier and i still don't understand the difference between summary indexing and data modeling.
When should I use each? Or which is the best option for optimizing searches?
Hi @Day,
they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches.
they both use schedule searches to take events from the raw logs
Data Models use DB tables, instead Summary indexes are standard Splunk indexes containing the extracted fields.
You can accelerate Data Models.
for more infos see at
https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutsummaryindexing
https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutdatamodels
Ciao.
Giuseppe
Hi
as usually it depends on your case. Here are some old posts and docs about those methods
Which one is best for your use case it totally depends on your environment and your use case.
r. Ismo
Hi @Day,
they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches.
they both use schedule searches to take events from the raw logs
Data Models use DB tables, instead Summary indexes are standard Splunk indexes containing the extracted fields.
You can accelerate Data Models.
for more infos see at
https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutsummaryindexing
https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutdatamodels
Ciao.
Giuseppe
It depends on your data and what you are trying to get from it. It also depends on what sort of optimisation you are trying to achieve, e.g. speed, length of SPL, size of configuration data, maintenance overhead, etc.