Using summary indexing to accelerate searches
You are a Splunk platform user who frequently runs a lot of searches, as well as uses those searches as the foundation for dashboards and reports. These searches often have a lot of events summarized within them, which affects the amount of time needed to return search results. In some cases, the load of these searches can have a negative impact on your deployment, for example search result times for all users can be slowed down. You need to find a more efficient way to search that doesn't negatively effect performance as much.
Solution
The Splunk platform allows you to create summaries of your event data. These are smaller segments of event data populated by background searches that only include the data needed to fulfill the search. When you run a search against one of these summaries, it should complete significantly faster since the data you're searching over is much smaller than the original raw events.
Summary indexing is one type of data summary creation. This video shows you how to use summary indexing. It covers:
- An introduction to three different data summary creation methods - data model acceleration, report acceleration, and summary indexing
- When you should use summary indexing instead of data model acceleration or report acceleration
- How to enable summary indexing
- How to avoid gaps and overlaps in your data
Next steps
These resources might help you understand and implement this guidance:
- Splunk Docs: Manage summary index gaps (in Enterprise and Cloud)