Acceleration
Splunk searches are fast. They can pull millions of events in a relatively small amount of time. However, what happens when you need to search billions of events? Also, what if you want the daily statistics of a website over 5 years? This is where some methods of acceleration will give you an advantage over raw data. Acceleration summarizes your data and provides you with aggregated statistics that can be looked up faster. If your App doesn't collect that much data, or you don't care about long-term statistics, you might not need any form of acceleration.
Summary indexing
Summary indexing is a tested but true method of collecting aggregated data. One way is to set up the summary fields and place them in the index using the collect command.
Note
Summary indexing does not count towards your daily license usage, so feel free to summarize as much data as you wish!
Let's start with the report manager. Before we begin configuring the summary index, we have to decide what...
