Refine your search:

Summary Index best practice

2

I have a dashboard that has a pull-down menu with a list of our hosts. By selecting a host, one can get a snapshot of that host's status- paging space use, web server hits, vmstat data, SAN disk stats, etc... (Note: because we're on AIX, we cannot run the *nix app, so we get our paging/vmstat data through commands sent to stdout and captured into Splunk).

Unfortunately, it takes a while to display all the results on the dashboard. When you have 20 hosts to check, it adds up fast.

I was thinking it would be a good idea to use summary indexing to speed things up a bit. I'm just not sure what the best way to structure this should be. Should I create a summary index "si-paging" (and "si-san", "si-webhits", etc...) that will capture all that information across all hosts every few minutes, then call that search when I select a host from the menu? Or should I do it from the other angle and create a summary index for each host, containing its paging/SAN/web server/etc data?

I'm thinking the latter would be better; from what I read, you can't add a search parameter when you call a saved search from a summary index. From the docs: "The search against the summary index cannot create or modify fields before the | stats command. That means I wouldn't be able to add a "host = 'xyz'". Do I have that right?

Is my logic sound here? Is it best to create a summary index for each host and generate my results in the dashboard that way?

Thanks!

asked 26 Oct '10, 13:49

Branden's gravatar image

Branden
6013339
accept rate: 19%

One Answer:
oldestnewestmost voted
2

Just use the default 'summary' index, and create 'markers' for each type of populating search. For example, a summary-index populating search could be:

sourcetype=your_sourcetype | stats min(cpu) as min_cpu avg(cpu) as avg_cpu max(cpu) as max_cpu by host

When you are going through the saved search workflow, set earliest to -5m, latest to +0s, schedule the search to run every 5 minutes, and check the "enable summary indexing" checkbox, add the key "marker" and the value "cpu_by_host_5m" or something similar.

Then, to build your dashboard, use the following search or something similar (assuming $host$ is a replacement intention from your drop-down):

index=summary marker=cpu_by_host_5m $host$ | timechart max(max_cpu) min(min_cpu) avg(avg_cpu)
link

answered 26 Oct '10, 20:18

araitz's gravatar image

araitz ♦
7.9k3925
accept rate: 45%

Thank you for the response. Quick question: should "| stats min(cpu)..." be "| sistats min(cpu)..."? If not, at what point do I need to preface things with "si". The manual mentioned that somewhere. Thanks!

(26 Oct '10, 20:21) Branden

If you feel confident that you can handle all the statistical operations and field names yourself in your summary-index populating search, then you don't need sistats. Per the docs, sistats is a better choice if you are new to Splunk and new to summary indexing.

(03 Jan '11, 17:58) araitz ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×235

Asked: 26 Oct '10, 13:49

Seen: 1,429 times

Last updated: 26 Oct '10, 20:18

Related questions

Best Practice for Updating Summary Indexed Data

summary index drilldown results to raw events

Using summary index by default in app?

Timezone, Saved Search and Summary Index confusion

faster way to backfill summary indexes

How to use summary indexes when max transaction span exceeds reporting interval

App development best practice: new index, or not?

Best Practise: Different Log Sources

What are some best practices for index creation?

Copyright © 2005-2012 Splunk Inc. All rights reserved.