Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use of Summary Indexing for Long Term Data from Rolling Index

philh
Explorer
‎11-22-2021 07:35 AM

Hi all,

I have the following problem set:

I have an index that rolls out data every 30 days (ie data older than 30 days is removed). There is a subset of data from this index that I would like to query for a longer period of time, say 12 or 24 months. 

I'm fairly new to the idea of summary indexes, but it sounds like the logical solution. However, I'm concerned about losing previous data (that's been removed from the original index) each time the summary index is scheduled to run. Is there a way for a summary index to store the data from old runs so I can build a dataset that encompasses multiple months from the original index? 

 

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-22-2021 08:20 AM

The idea of a summary index is to retain a subset of data from another index.  The summary index should have different retention settings so it holds data longer than the original index.  Summarized data is independent of the data in the original index so the original data can be removed without affecting the summary.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2021 08:12 AM

If you still need all the "old" data, extend the retention period for the index. If you only need partial data, extract that to the summary index and keep it for longer.

0 Karma
Reply

philh
Explorer
‎11-22-2021 08:50 AM

Thanks for the reply. I can't extend the retention period for the index since it is the established company retention length. But you're saying I can extract that partial data and hold it in the summary index without it being overwritten, correct? 

For example, I'd have the summary index run on the original index once every 30 days so it can grab all the partial data before it is removed. So after 2 runs, my summary index would have 60 days of partial data. 

Is this logic correct?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2021 08:54 AM

So long as the retention period for your summary index is long enough then yes. Summary indexes will still have their own retention periods but are usually longer than the initial raw data indexes. You would have to find out from your administrators how long your summary indexes can be retained for.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...