Report Acceleration In Splunk

Report Acceleration In Splunk

We all know that we can get data in splunkweb for some specific time range using time range picker easily. But whenever the time range will be longer or the index from which we are searching the data is of larger size , if we want to search even  a smaller amount of data from the raw data, then also the result may come late because the data is getting searched from larger amount of  raw data.

Now, it will be definitely easier and faster for splunk to search the desired amount of data in processed data rather than raw data. For that we will use Report Acceleration. Before going to the implementation part let us tell you briefly about the Report Acceleration.

REPORT ACCELERATION :-

Report Acceleration is the process in Splunk Enterprise that can speed up a transforming search or a report that takes long time to execute because they run on large amount of datasets. It creates a separate summary of the data on the indexer and store the summary data within ordinary indexes parallel to the bucket or buckets that cover the range of time over which the report acceleration summary is created.

When the report acceleration summary will be created the splunk enterprise will search the data from the summary , not from _raw index i.e. raw data. So, definitely the time to execute the search query will be faster.

Now, there are some conditions should be followed to create Report Acceleration.

The conditions are listed below:-

1.The  command which should be used to write the search query for report acceleration must be transforming command(eg: stats,timechart etc) or streaming commands(eg: rex etc.).
2. If the search string has any commands before the first transforming command, they must be streaming commands.(eg: rex)
3. Pivot reports can not be used for report acceleration.
4. Report Acceleration is not possible if the user doesn’t have the capability schedule_search and accelerate_search.
5. User must have write permissions for the report.
6.Search mode should be in smart mode or fast mode.

Advantages of REPORT ACCELERATION:-

1.Performance is increased by 2-5x
2.Report acceleration summary updates every 10 minutes automatically, no need to backfill manually.
3.No need to concern about the late arriving data because of it automatic updates.
4.Does not require any conversion (just click the checkbox and you are done).

-:How to create REPORT ACCELERATION:-

Step1.

Login to your Splunk using your credential.

page1

Step2.

Go to the Search and Reporting app in splunk.

Step3. 

Write a search query using transforming command or streaming command in the search box and save it as report.

report3

Step:4

Give the report a suitable name.

report4

Step5:

To create report acceleration this report needs to be accelerated. So, just click on Acceleration and this below page will pop up. There you just have to check the box and give the Summary Range.  report5(1)

Remember, You can only give the range less than or equal to the time range for which the report is created.

report5(2)

Step6:

Now if you want to see that the summary for your report is created or not you can go to Report acceleration summaries option from Setting and click on it and you can see here if your summary is created or not. If the Summary Status shows complete that means the summary is created. 

report6(1)

report6(2)

If you want to see the details of the summary you can click on the summary id and you can see the details.

report6(3)

Step7:

Now if you search anything from the base search query used for report acceleration the time to execute the query will be lesser because now the search will be from the summary not from _raw index. See before acceleration the query was taking almost 17.5 secs to run.

report7(1)

Now see it is taking almost 6 secs after we created the report acceleration.

See the query execution time is almost 3 times less than then the previous execution time.

report7(2)

Step8:

Now you can also create report from this report acceleration summary and cron schedule it as per requirement. So the time for executing the report will be faster than before. But you have to use the base search of report acceleration summary for the new report or search.

Follow the below screenshots.

report8(1)

report8(2)

report8(3)

report8(4)report8(5)report8(7)

report8(8)

See it is taking almost 0.8 secs to run the report because we have used the base search of report acceleration summary in this report.

Hope from now, all of you can create the Report Acceleration without fail.

Happy Splunking!!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.