What is Report Acceleration?
Suppose you have large amount of data to be searched or the data we are looking for have large time range, and when we run the search query for the desired data it takes lot of time to compute the required data from the raw data or the large index.
So by using Report Acceleration in splunk we are shortening the computation time required to fetch the data from larger index .
This is done by creating a summary index which is smaller against the full/raw index which makes the search time fast compared to while searching on raw/larger indexed data.
Why to use Report Acceleration?
- After you enable report acceleration ,the future search query of the that report runs faster as compared to the search query returned on raw data
- Also you have small dataset when you enable report acceleration where you can craftly run multiple queries
- It automatically fetches the data from raw logs and with automatic start and end date thus making it a speedy process
- It provide automatic backfill so in case if you have data interruption it helps in automatically updating and rebuilding your summaries
- Its Superfast and easy to use
When not to use report acceleration?
- Since it is mostly limited to single search per job, it is not advisable to use report acceleration when running multiple searches per job.
- It only provide support for basic analytics
Conditions before using report acceleration
- The search query which is required for report acceleration must contain transforming commands such as timechart, stats etc or streaming command such as rex etc.
- To use non streaming command, the first command should be transforming command and then the former command can be used to accelerate the report
- Report acceleration works either on Fast mode or Smart mode. Please avoid Verbose mode while using accelerating the report
- You cannot accelerate Pivot report .They can be accelerated using data model acceleration
How to use report acceleration?
Step 1 : Write a search query that qualifies for report acceleration using transforming or streaming command in the search box and save it as a report
Step 2 : Create a report from the above results and give it a name and click on save
Step3 : A report has been created message pops up with some additional setting. These settings include permission to who can access the report, scheduling your report, accelerating your report and embedding the report.
Step 4 : To accelerate the report click on Acceleration button in the message displayed
Check on the box given ahead of accelerate report and provide the summary range as per your need. The summary range should be less than or equal to the time range for which the report was created
If you set summary range of 1 day a search is always run every ten minutes to collect the data from the index specified to the summary index and the data of the previous day is removed and the new data takes it place based on the range of summary days you provide.
Step 5: Checking on report acceleration summaries
Splunk provides unique summary id for the report you created and gives you status of the report acceleration
To access report acceleration summaries goto settings > Report acceleration summaries
You can see from the above pic the summary has been completed for our report name report_acceleration_demo which implies the summary been created.
Results when running a normal search
Results when using report acceleration
From the above two results it can be concluded that when using report acceleration the time required to execute the query is much lesser( 1/5th)as compared to normal time when the search query is run
You can also use the report acceleration to as a base search to schedule your report which further speeds up the results.
If you are still facing an issue regarding report acceleration in splunk, Feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks. Happy Splunking 😉
