Acceleration

Splunk searches are fast. They can pull millions of events in a relatively small amount of time. However, what happens when you need to search billions of events? Also, what if you want the daily statistics of a website over 5 years? This is where some methods of acceleration will give you an advantage over raw data. Acceleration summarizes your data and provides you with aggregated statistics that can be looked up faster. If your App doesn't collect that much data, or you don't care about long-term statistics, you might not need any form of acceleration.

Summary indexing

Summary indexing is a tested but true method of collecting aggregated data. One way is to set up the summary fields and place them in the index using the collect

Get Splunk Developer's Guide - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Splunk Developer's Guide - Second Edition by Kyle Smith

Acceleration

Summary indexing

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly