Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Expire Summary Indexing Information

KarunK
Contributor
‎03-07-2012 08:49 PM

Hi,

I am setting up summary indexing for period of 5min, weekly and monthly. Here is how I want it to be implemented.

Every Five minutes a schedule search will run and calculate the results for past 5minutes. After one week I would to expire these results and trigger another search that will search for the whole previous week. An after one month i would like to expire the weekly results and trigger another search for past whole month.

So a user can access 5 min data for the past week and weekly data for the previous week and monthly data before last month.

How will I implement this ?

Thanks in Advance.

Tags (1)
0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎03-07-2012 09:25 PM

Create a summary index for each set;

summary5min (Retention policy, 1 week)

summary1week (Retention policy 1 month)

summary1month (Retention policy ??? )

every 5 min scheduled saerch is indexed to summary5min

every week schduled saerch is indexed to summary1week

every month scheduled search is indexed to summary1month

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...