You are a Splunk platform user who frequently runs a lot of searches, as well as uses those searches as the foundation for dashboards and reports. These searches often have a lot of events summarized within them, which affects the amount of time needed to return search results. In some cases, the load of these searches can have a negative impact on your deployment, for example search result times for all users can be slowed down. You need to find a more efficient way to search that doesn't negatively effect performance as much.
Splunk allows you to create summaries of your event data. These are smaller segments of event data populated by background searches that only include the data needed to fulfill the search. When you run a search against one of these summaries, it should complete significantly faster since the data you're searching over is much smaller than the original raw events.
Summary indexing is one type of data summary creation. This video shows you how to use summary indexing. It covers:
- An introduction to three different data summary creation methods - data model acceleration, report acceleration, and summary indexing
- When you should use summary indexing instead of data model acceleration or report acceleration
- How to enable summary indexing
- How to avoid gaps and overlaps in your data
This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the Hood, Result Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.
These resources might help you understand and implement this guidance:
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.