Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

real-time monitoring on indexes , indexed summary

sbsbb
Builder
‎02-16-2013 11:38 AM

I have a couple of fields that I want to being able to search very quickly, because they are in XML files, and at search-time it takes too long.

So I thought, the best way is to extract this fields at index-time...

Now My questions :
- can I make a real-time search on that index fields ? (I've seen the normal way for splunk is to do realtime search directly before the indexer has done his job, but if I'm indexing the fields anyway, it make sense to search on that).

  • is it possible to automatically index the results of a real-time search as summary, so I can see on the one hand the actual situation on a real-time dashboard, and on the other hand, I'm able to request the same information from yesterday for example (without having to compute the result anymore) ?

  • Is it possible to define how long each indexed summary is kept ? The same for index database table ? Can I keep a summary longer as the indexed Datasource ?

Could you also say me what solution for that I have in 4.3.3 and 5 ?

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-16-2013 12:14 PM

it is most likely not helpful for you to create index-time fields to improve search speed. there are probably more effective methods, but that would depend on your data and the query.

it is not possible to summarize real-time searches. summaries inherently need to aggregate data, and it's most effective to aggregate data in bulk, not as it shows up in real time. Just create another job to summarize (or for report acceleration).

summary indexes are independent of their raw source data, but report-accelerated (automatic) summaries are not, and live and die with the raw source data.

0 Karma
Reply

sbsbb
Builder
‎02-17-2013 10:11 PM

My point ist I have big messages, and I want for each root element, get 3 or 4 fields, and store them, so I can have a quick search (and a dashboard), and only read the whole message, if I see a problem, how can I ashieve that ?
If I only make a scheduled search, I only have to wait until it is executed to have the data, I want to have it as soon as possible...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...