Report Acceleration In Splunk: We can have information on Splunk web for a certain specific time range with the help of a time range-picker easily. However, the time range can be longer, or the index from which we’re searching the information is bigger. If we need to search even little amount of information from raw data the outcomes may also arrive late the reason being data is getting-searched from a bigger amount of raw data.

Now, it’s faster & easier for Splunk to find the desired data in processed information rather than raw data because Report Acceleration is used. Before going to the implementation part let us tell you briefly about the Report Acceleration.

Report Acceleration In Splunk

This is a process in Splunk-Enterprise which helps in speeding up a transforming search. It also helps in speeding up a report which takes a long-time to be executed the reason being they operate on huge datasets. This forms a distinct summary of the information on the indexer & stores the summary data within ordinary indexes parallel to buckets or buckets which covers the range of time that the report-acceleration summary is formed.

When the report-acceleration summary is created Splunk enterprise searches the information from summary and not from _raw index which has raw data. Therefore, certainly, the execution time of a search query will be quicker.

Conditions that need to be followed to form Report Acceleration

  1. Commands which need to be used to compose the search query for report-acceleration needs to be a transforming command which includes stats, time chart, etc., or streaming commands like rex, etc.
  2. If the search string contains a command before the 1st transforming command it needs to be streaming commands like a rex.
  3. Pivot reports cannot be utilized for report acceleration.
  4. The user needs to write permissions for the report.
  5. Report Acceleration isn’t possible if a user does not have the capability schedule_search & accelerate_search.
  6. Search-mode needs to be in fast mode or smart-mode

 Benefits of report acceleration:-

  1. Increases performance by 2 to 5 times
  2. Report-acceleration summary is auto-updates after every ten minutes. Thus no need to manually backfill it.
  3. No need to worry about data arriving late because of automatic updates.
  4. Doesn’t need any conversion, you need to click the checkbox & you’re done

Creating Report Acceleration In Splunk :-

Step 1

Log in to Splunk using your credential

Splunk using your credential

Step 2

Go to Search & the reporting application in Splunk.

Step 3

Compose a search query with the use of streaming command or transforming command in the search box & save the search query as a report.

streaming command or transforming command in the search box

Step 4

Name the report the best name

Name the report the best name

Step 5

Creating report-acceleration in this report requires being faster. Thus, just click on Acceleration & the popup page will be displayed like in the image below. Here, you need to check the box & give a Summary Range.

 Creating report-acceleration in this report requires being faster

Remember that you can just offer the variation less than or equal to the time range in which the report is made.

ariation less than or equal to the time range in which the report is made

Step 6

Now if one needs to see that summary for the report that’s made or not one to move to the Report-acceleration summaries option available at Setting. Click on it to see if the summary was made or not. When the Summary-Status displays complete it means that the summary is made.

Report-acceleration summaries option available at Setting

If you need to see details of the summary you need to click on summary id & you will see the information.

Step 7

When you search any information from the base-search query utilized for report-acceleration time to execute this inquiry will be lesser the reason being the search will be from summary and not from _raw index. Before acceleration query was taking nearly 17.5secs to run.

report-acceleration time to execute

Now it’s taking about six sec after the creation of report acceleration. The query execution time is about three times less than then its previous execution time.

creation of report acceleration

Step 8

One can also form a report from the Report Acceleration In Splunk summary & cron schedules it as the requirement. Therefore the time for completing the report is quicker than before. But you’ve to utilize a base search of report-acceleration summary for search or new report.

The screenshots below will guide you

search of report-acceleration

base search of report-acceleration summary

Share.

Terry White is a professional technical writer, WordPress developer, Web Designer, Software Engineer, and Blogger. He strives for pixel-perfect design, clean robust code, and a user-friendly interface. If you have a project in mind and like his work, feel free to contact him

Leave A Reply