Data Models

This article is based on my Splunk .conf 2015 session and is the second in a mini-series on Splunk data model acceleration. Make sure to read parts 1 and 2 first.

This article is based on my Splunk .conf 2015 session and is the second in a mini-series on Splunk data model acceleration. Make sure to read part 1 first. Under the Hood HPAS Population The high-performance analytics store (HPAS) is populated by scheduled searches that run every 5 minutes. The HPAS spans a user-defined time range. Old events are purged automatically by a maintenance process that runs every 30 minutes.

This article is based on my Splunk .conf 2015 session and is the first in a mini-series on Splunk data model acceleration. Why Accelerate? Have you ever seen this? Splunk is great and very fast with needle in a haystack searches, e.g. find a specific keyword in millions of events. It is not so fast with searches that perform calculations on millions of events, e.g. the sum or average of fields.