Summary indexing
In a matter of days, Splunk will accumulate data and start to move events into the cold bucket. If you recall, the cold bucket is where data is stored to disk. You will still be able to access this data but you are bound by the speed of the disk. Compound that with the millions of events that are typical with an enterprise Splunk implementation, and you can understand how your historical searches can slow down at an exponential rate.
There are two ways to circumvent this problem, one of which you have already performed: search acceleration and summary indexing.
With summary indexing, you run a scheduled search and output the results into an index called summary
. The result will only show the computed statistics of the search. This results in a very small subset of data that will seemingly be faster to retrieve than going through the entirety of the events in the cold bucket.
Say, for example, you wish to keep track of all counts of an error in payment and you wish to keep the...