Solved: Does charting data age out over time?

Dimitri_McKay · ‎01-04-2013

Does the charting data "age" like RRD data (as an example: a 5 minute sample rate gets turned into a 15 minute average after a week, a 30 minute one after two, etc...)? Is the chart data indexed separately from the logs or do you lose data that is from buckets that have been rotated to cold/frozen storage?

Dimitri_McKay · ‎01-04-2013

NO, charting data is typically the same data as raw. That is, all data to splunk is first class. That said, you can either create summary indexes and then use them to deal with a all-->5m-->15m-->30m type scenario. I have had many customer do so, but in the end, the 5.0 report acceleration probably accomplishes enough and saves you the effort. NO, data is not lost as it is moved from Hot/Warm to Cold, but yes, as data is frozen, we remove the index file and keep the raw. If/when it is restored, the rebuild process is part of that. This keeps the frozen files MUCH smaller.

View solution in original post

Dimitri_McKay · ‎01-04-2013

NO, charting data is typically the same data as raw. That is, all data to splunk is first class. That said, you can either create summary indexes and then use them to deal with a all-->5m-->15m-->30m type scenario. I have had many customer do so, but in the end, the 5.0 report acceleration probably accomplishes enough and saves you the effort. NO, data is not lost as it is moved from Hot/Warm to Cold, but yes, as data is frozen, we remove the index file and keep the raw. If/when it is restored, the rebuild process is part of that. This keeps the frozen files MUCH smaller.

Does charting data age out over time?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!