Reducing summary index size
If the saved search populating a summary index produces too many results, the summary index is less effective at speeding up searches. This usually occurs because one or more of the fields used for grouping has more unique values than expected.
One common example of a field that can have many unique values is the URL in a web access log. The number of URL values might increase in instances where:
- The URL contains a session ID
- The URL contains search terms
- Hackers are throwing URLs at your site trying to break in
- Your security team runs tools looking for vulnerabilities
On top of this, multiple URLs can represent exactly the same resource, as follows:
/home/index.html/home//home/index.html?a=b/home/?a=b
We will cover a few approaches ...
Get Implementing Splunk - Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
