Skip to main content

 

Splunk Lantern

Using summary indexing to accelerate searches in Splunk Cloud Platform

 

You are a Splunk Cloud Platform user who frequently runs a lot of searches, as well as using those searches as the foundation for dashboards and reports. These searches often have a lot of events summarized within them, affecting the amount of time needed to return search results. In some cases, you're finding that the load of these searches can have a negative impact on your deployment, for example search result times for all users can be slowed down. You need to find a more efficient way to search that isn't so taxing on your deployment.

Solution

Splunk allows you to create summaries of your event data. These are smaller segments of event data populated by background searches that only include the data needed to fulfill the search. When you run a search against one of these summaries, it should complete significantly faster since the data you're searching over is much smaller than the original raw events.

Summary indexing is one type of data summary creation. This video shows you how to use summary indexing. It covers how to:

  • An introduction to three different data summary creation methods - data model acceleration, report acceleration, and summary indexing
  • When you should use summary indexing instead of data model acceleration or report acceleration
  • How to enable summary indexing
  • How to avoid gaps and overlaps in your data

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like What is Splunk or dive into more advanced courses like Search Under the HoodResult Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

These resources might help you understand and implement this guidance:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.