Reporting

Is there a way to configure an index to retain summarized data for an accelerated report longer than the normal raw data?

sistemistiposta
Path Finder

Hello splunk users,

I have some new-by questions about accelerated reports. I have accelerated a report simply by clicking on "Accelerate Report".
Good! It works!

With Report Acceleration, the "accelerated" data lives alongside the raw data it summarizes. When that data is deleted, the summarized data goes with it. (see at https://answers.splunk.com/answers/103736/report-acceleration-does-all-time-retain-summarized-data-a...)

Is there a way to configure the index to maintain his summarized data longer than normal raw data? The attribute "frozenTimePeriodInSecs" is valid for all indexed data. Maybe there is a way to configure it only for summarized data.

Thank you very much
Best Regards

0 Karma
1 Solution

lguinn2
Legend

No, you cannot keep Report Acceleration Summaries longer than the underlying data that they summarize. The summaries need the underlying data in order to function properly.

However, if you want to store summary data longer than the original data, you might be able to use Summary Indexing. As an example, let's say that you are currently indexing the error logs for a bunch of devices in your network. For 90 days, you need access to the individual incidents, but after that all you need is to be able to trace the number of errors per day by device. A good solution would be to run a search every day that calculates the number of errors by device for the previous day - and stores that calculation in a summary index. If you set the retention to 2 years for the summary index, then you could report based on the daily counts long after the individual events had been removed from the original index.

You might want to read more about Using Summary Indexing in the documentation.

View solution in original post

lguinn2
Legend

No, you cannot keep Report Acceleration Summaries longer than the underlying data that they summarize. The summaries need the underlying data in order to function properly.

However, if you want to store summary data longer than the original data, you might be able to use Summary Indexing. As an example, let's say that you are currently indexing the error logs for a bunch of devices in your network. For 90 days, you need access to the individual incidents, but after that all you need is to be able to trace the number of errors per day by device. A good solution would be to run a search every day that calculates the number of errors by device for the previous day - and stores that calculation in a summary index. If you set the retention to 2 years for the summary index, then you could report based on the daily counts long after the individual events had been removed from the original index.

You might want to read more about Using Summary Indexing in the documentation.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...