Databases Reference
In-Depth Information
Summary Indexes and
CSV Files
As the number of events retrieved by a query increases, performance decreases
linearly. Summary indexing allows you to calculate statistics in advance, then
run reports against these "roll ups", dramatically increasing performance.
Understanding summary indexes
A
summary index
is a place to store events calculated by Splunk. Usually, these
events are aggregates of raw events broken up over time, for instance, how many
errors occurred per hour. By calculating this information on an hourly basis, it is
cheap and fast to run a query over a longer period of time, for instance, days,
weeks, or months.
A summary index is usually populated from a saved search with
Summary
indexing
enabled as an action. This is not the only way, but is certainly the most common.
On disk, a summary index is identical to any other Splunk index. The difference is
solely the source of data. We create the index through configuration or through the
GUI like any other index, and we manage the index size in the same way.
Think of an index like a table, or possibly a tablespace in a typical
SQL database. Indexes are capped by size and/or time, much like a
tablespace, but all the data is stored together, much like a table. We
will discuss index management in
Chapter 10
,
Configuring Splunk
.
Search WWH ::
Custom Search