Inputlookup vs. summary index performance

If I have a bunch of events in a tabular format that I wish to search for various charts on a dashboard, is it faster to input the events with inputlookup or is it better to save them in a summary index and search the index?

Thx.

Craig

performance

asked 11 Apr '11, 06:32

jambajuice
491●5●4●46
accept rate: 9%

2 Answers:

oldest newest most voted

0	I would think using a summary index would always be faster. link answered 11 Apr '11, 18:48 netwrkr 428●2●10 accept rate: 22%

Depends on the size of the lookup table. If it's less than 10MB, it's almost certainly faster to use inputlookup because it'll be sitting in memory already.

http://answers.splunk.com/questions/8326/are-lookup-tables-indexed

However bear in mind that you get all sorts of extra flexibility when you have summary indexing going. It's not uncommon for a lookup solution to get replaced down the road by a summary index solution when you need that flexibility. Like when the values start changing over time and you need to report on the changes.

link

answered 12 Apr '11, 05:34

sideview ♦
25.6k●4●5●43
accept rate: 46%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

performance ×238

Asked: 11 Apr '11, 06:32

Seen: 1,611 times

Last updated: 12 Apr '11, 05:34

Inputlookup vs. summary index performance

Follow this question

Splunk Resources

Related questions