Getting Data In

summary indexing

SplunkySplunk
Explorer

Hello.

Im using Splunk cloud and thinking about add summary index or data model.

I'm trying to understand the difference between the 3 options :
summary index, report acceleration and data model.
Can someone please explain to me what is the main purpose of each ?
Using summary index is the best way to avoid performance issues with heavy searches ?
How it works with summary index? should i create new index and run my dashboards on this index ?
Thanks

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkySplunk ,

as @inventsekar said, these are thre ways to accelerate searches that runs in a different way and that re to use in different conditions.

e.g. I used report acceleration when I had a dashboard with many real time searches, used by many users: I created an accelerated report that was visualized in the dashboard, in this way I had  a near real time dashboard used by many users, that runned only one search.

Data Models, are the most efficient solution if you have to search only using predefined fields.

Summary indexes are very useful when you want to reduce and structure your logs: e.. if you have the logs from a fireawll (that usually are very many and with many fields not always used!), you can reduce the logs and use the reducted logs for your searches, also on raw (reducted) logs.

As me and @inventsekar said, it depends on what is your requirement.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

Hello

Thanks for your reply.

I have few heavy dashboards that most of them are using the same base search so i thought that summary index can be the right way to reduce the running time.

As I understood from documentation, I need to create a report that running the base search and schedule it to run once a day and send the result to summary index, is it right ?

If yes, should I run the dashboards with the summary index and the "regular" index ? also, If the report results are saved in summary index, does it mean the logs are saved twice ? once in the "regular" index and once in summary index ?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The answer depends on your usecase.

One approach, which you seem to be alluding to, is to run a daily report to populate the summary index (with the results from the search, not the raw events). Your dashboard could then read from the summary index and append results from the raw index to cover the gap between the end of the previous day to the end of your time period.

So, to answer your final question, the logs are not saved twice (unless your report which is populating the summary index is saving the raw events - but why would you do that, as it doesn't provide any benefit).

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @SplunkySplunk 

All three are three big concepts and looks like you have done some studying on the Splunk docs(if not, the links are below). 

maybe you should ask your requirements more clearly.. so there will be better answers. thanks. 

 

https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Usesummaryindexing

https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Aboutdatamodels

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Knowledge/Manageacceleratedsearchsummarie...

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...