Databases Reference
In-Depth Information
When the rollup is expected, perhaps each night at midnight, schedule two more
queries a few minutes apart, as follows:
•
| inputcsv top_req_time.csv | head 100
: Save this as a query
adding to a summary index, as in the
Populating summary indexes with
saved searches
section
•
| stats count |outputcsv top_req_time.csv
: This query will simply
overwrite the CSV file with a single line
Summary
In this chapter, we have explored the use of summary indexes and the commands
surrounding them. While summary indexes are not always the answer, they can be
very useful for particular problems. We also explored alternative approaches using
CSV files for interim storage.
Summary indexes have long been a hotbed of development at Splunk, and I know
there has been major work done for Splunk 5, increasing the speed of some summary
queries dramatically.
In our next chapter we will dive into the configuration files that drive Splunk.
Search WWH ::
Custom Search