Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the differences between the various features named "summary" in Splunk?

mataharry
Communicator
‎09-24-2014 06:18 PM

They are many features using objects named "summary", this is confusing, please clarify.

what are the differences between all those paths ?

$SPLUNK_HOME/var/lib/splunk/summary/db
$SPLUNK_HOME/var/lib/splunk/defaultdb/summary 
$SPLUNK_HOME/var/lib/splunk/defaultdb/datamodel_summary

In savedsearches, what means auto_summarize and alert.action=summary

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-24-2014 06:23 PM

To clarify there are 3 features named "summary" in splunk, :

A - Summary indexing : classic since splunk 4.*

  • populated by scheduled searches, can use special "si*" stats commands (use the parameter alert.action=summary in savedsearches.conf)
  • results are saved in the spooler and reindexed with the sourcetype stash_new
  • stored in an index of your choice.
  • an index named "summary" is shipped with splunk by default ($SPLUNK_HOME/var/lib/splunk/summary/db)
  • the results have to be retrieved with special searches syntax
  • docs : http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Usesummaryindexing

B - Report acceleration : introduced on splunk 5.*

C - Data model acceleration : introduced on splunk 6.*

Remark : none of those features counts on your license usage, but they can add some extra search load to generate the summarized data.

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-24-2014 06:23 PM

To clarify there are 3 features named "summary" in splunk, :

A - Summary indexing : classic since splunk 4.*

  • populated by scheduled searches, can use special "si*" stats commands (use the parameter alert.action=summary in savedsearches.conf)
  • results are saved in the spooler and reindexed with the sourcetype stash_new
  • stored in an index of your choice.
  • an index named "summary" is shipped with splunk by default ($SPLUNK_HOME/var/lib/splunk/summary/db)
  • the results have to be retrieved with special searches syntax
  • docs : http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Usesummaryindexing

B - Report acceleration : introduced on splunk 5.*

C - Data model acceleration : introduced on splunk 6.*

Remark : none of those features counts on your license usage, but they can add some extra search load to generate the summarized data.

Reply
Solved! Jump to solution

jaredlaney
Contributor
‎11-17-2015 07:19 AM

@yannK - Is there anyway you could explain these in more of a conceptual vs. a mechanical way?

0 Karma
Reply
Solved! Jump to solution

jaredlaney
Contributor
‎11-17-2015 07:20 AM

For example, maybe explain if one is more like an additional index vs. one being a cache? Maybe some good cases of when to use one vs. when to use another.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-17-2015 07:55 AM

Those methods A and B are not supposed to complete each others they are just 2 ways to achieve the same thing.

A - The "Summary indexing" is like generating events in a new index.
It's is perfect to generate a new set of pre-calculated data, and keep it for a longer retention.
example : having millions of web acccess logs in an index with a short retention, and every day summarize them as a number of hit per day, store in an dedicated index with a long retention. At the end you will only keep this information.
The only difficulty is if a scheduled search is skipped, you may have a gap to backfill

B - Report acceleration is for searches only, it precaculate them for you.
Example : having a long statistical search over a long period to populate a dashboard. Accelerate it to run all the time in the background , and load faster.

C - Data model acceleration is only usefull if you already have a datamodel. They are usually heavier to run, so accelerating them will help.
Example : the Common Information Model (CIM) comes with many datamodels, once the volume is large, the searches are slower. When the acceleration is turned on (depending of thebackfill range), it will be faster for the recent days.

Reply
Solved! Jump to solution

mic
Splunk Employee
Splunk Employee
‎12-07-2016 02:52 AM

yannK mentioned the following

an index named "summary" is shipped with splunk by default ($SPLUNK_HOME/var/lib/splunk/summary/db)

I believe it's $SPLUNK_HOME/var/lib/splunk/summarydb, not $SPLUNK_HOME/var/lib/splunk/summary/db. Notice that there is no backslash between "summary" and "db".

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...