The Forge • Room 3

Summary Indexing & Report Acceleration

**Summary Indexing** runs a scheduled search that saves aggregated results into a separate summary index. Future searches read the pre-computed summary instead of the raw data.

**Report Acceleration** is a more automated approach: Splunk automatically builds and maintains accelerated summaries behind the scenes for saved reports.

Both techniques trade disk space for dramatically faster query times on recurring reports.

Collecting to Summary

index=web | stats count by status | collect index=summary marker="web_status_report"

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write a search that collects a count of events by sourcetype into a summary index with a marker called "daily_sourcetype_count".

Splunk Search Bar