Summary
The key takeaways from this chapter are as follows:
- There are currently three methods of data summarization in Splunk: summary indexing, report acceleration, and data model acceleration
- Summary indexing can greatly improve the time taken to access key metrics computed over long periods of time
- Summary indexing provides a method to retain data over long periods of time with a much smaller footprint on disk space
- Report acceleration provides an intelligent method for automatically summarizing report data to enhance the speed of the report
- Report acceleration summary data is shared amongst similar reports automatically
- Report acceleration is self-repairing; it will automatically detect gaps in data and recompute the expected data summaries
- The speed at which reports are produced is a cornerstone to a successful Operational Intelligence program
