Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to optimize a large static historical search by getting cached results from the past and recalculating new deltas?

mgaraventa_splu
Splunk Employee
Splunk Employee
‎01-26-2015 11:00 AM

I want to run a simple search counting total number of events over a time duration such earliest = -6 months, latest = now.

Say I want to run this search on a daily basis, but obviously I don't need the past 6 months to be calculated and regenerated each time because each consecutive search is just going to add a small delta to the entire search, namely, 1 new days worth of data.

Is there a way for me to optimize this search or use some other Splunk functionality in order to get cached results from the past and just recalculate the new deltas?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

mgaraventa_splu
Splunk Employee
Splunk Employee
‎01-26-2015 11:03 AM

This can be solved by following one of the 3 possible approaches listed in this documentation article:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Aboutsummaryindexing

i.e.

  1. Report acceleration - Uses automatically-created summaries to speed up completion times for certain kinds of reports.
  2. Data model acceleration - Uses automatically-created summaries to speed up completion times for pivots.
  3. Summary indexing - Enables acceleration of searches and reports through the manual creation of separate summary indexes that exist separately from your main indexes.

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

mgaraventa_splu
Splunk Employee
Splunk Employee
‎01-26-2015 11:03 AM

This can be solved by following one of the 3 possible approaches listed in this documentation article:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Aboutsummaryindexing

i.e.

  1. Report acceleration - Uses automatically-created summaries to speed up completion times for certain kinds of reports.
  2. Data model acceleration - Uses automatically-created summaries to speed up completion times for pivots.
  3. Summary indexing - Enables acceleration of searches and reports through the manual creation of separate summary indexes that exist separately from your main indexes.

Hope this helps.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...