Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How summary index a entire index

felipesewaybric
Contributor
‎12-05-2013 07:59 AM

I want to take one of my index and make faster, like this:

index=ltm

summary_index=ltm_summary

Thank you guys.

Tags (1)
Reply

sowings
Splunk Employee
Splunk Employee
‎12-11-2013 12:55 PM

Note that a summary index is not magic. It's faster than a regular index because you've done something (like stats, etc) to distill the data, and reduce the overall number of rows. Simply copying one index to a summary index doesn't make it faster.

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-05-2013 08:21 AM

Not quite.

You will need two indexes. "ltm" and "ltm_summary".

To populate the summary index (quick and dirty): your_search | do_things | collect index=ltm_summary

To use the summary index: your_search index=ltm_summary | do_more_things

You will want to review this: http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Usesummaryindexing

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-11-2013 12:03 PM

Has this helped? Please mark accepted if it answered your question.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...