Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what is the difference between summary indexing and data models?

Day
Engager
‎11-02-2023 03:45 AM

Hi 🙂 i'm new hier and i still don't understand the difference between summary indexing and data modeling.

When should I use each? Or which is the best option for optimizing searches?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 03:53 AM

Hi @Day,

they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches.

they both use schedule searches to take events from the raw logs

Data Models use DB tables, instead Summary indexes are standard Splunk indexes containing the extracted fields.

You can accelerate Data Models.

for more infos see at 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutsummaryindexing

https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutdatamodels

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 03:53 AM

Hi @Day,

they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches.

they both use schedule searches to take events from the raw logs

Data Models use DB tables, instead Summary indexes are standard Splunk indexes containing the extracted fields.

You can accelerate Data Models.

for more infos see at 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutsummaryindexing

https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutdatamodels

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2023 03:52 AM

It depends on your data and what you are trying to get from it. It also depends on what sort of optimisation you are trying to achieve, e.g. speed, length of SPL, size of configuration data, maintenance overhead, etc.

Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top