Solved: summary Index

VijaySrrie · ‎03-31-2021

Hi,

how will summary index actually work in relation to 'time based searches'

maybe the summary index could have no time value on each record?

We are replacing a lookup with a summary index.

we have 2000 entries in the lookup --> those entries will be pushed to summary index via a scheduled search

The lookup will be updated daily --> The updated data will go to summary Index

What will happen to old data that is already there in the summary Index?

manjunathmeti · ‎03-31-2021

hi @VijaySrrie,

Summary index events do have timestamps.

if your saved search results contain a _time field then the timestamp will be set to this field values in the summary index. If _time is not there then timestamp is set to the CURRENT time(when data is parsed) in the summary index.

Retention for the summary index is 5 years and the max data size is 500GB.

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎03-31-2021

hi @VijaySrrie,

Summary index events do have timestamps.

if your saved search results contain a _time field then the timestamp will be set to this field values in the summary index. If _time is not there then timestamp is set to the CURRENT time(when data is parsed) in the summary index.

Retention for the summary index is 5 years and the max data size is 500GB.

If this reply helps you, a like would be appreciated.

summary Index

metadata

stats

subsearch

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?