https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329842#M5949 <P>Is that streaming command equally spread across your indexers, or do you have one or two indexers that are taking longer then others?</P> <P>Dispatch stream taking a lot of time could reflect indexer performance issues, especially around I/o. How are your normal searches running? What if you run tstats against the index instead of the DM. </P> <P>Circling back to the data model, what kind of events are fitting into the DM? And what’s the base search look like?</P> Mon, 29 Jan 2018 12:53:33 GMT esix_splunk 2018-01-29T12:53:33Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329837#M5944 <P>I have an accelerated data model which is performing very slow. It takes more than 2 minutes to return just count of events and more than 4 minutes to do any statistical functions. For example below query takes 121 seconds to run:-</P> <PRE><CODE>|tstats count from datamodel=mydatamodel where (nodename=mydatamodel.logs) (mydatamodel.tag=prod) groupby "mydatamodel.transactionID" </CODE></PRE> <P>This returned around 4 Million rows after scanning 12 M events. Is there anything I can do to improve the performance. We have a search head cluster with good configuration and around 13 indexers.</P> Mon, 29 Jan 2018 05:58:35 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329837#M5944 vaibhavagg2006 2018-01-29T05:58:35Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329838#M5945 <P>What are the terms of the acceleration? Is it actually accelerated? You can check on the status of the data model in your Management Console, or in the Data Model Audit Dashboard of CIM (if you're using it..)</P> <P>It's worth noting that your accelerated data exists on the indexers, and not on the SHC. If your indexers are facing anytype of I/o, Memory, or CPU contention, then this can effect performance of your data model.</P> <P>Additionally, the structure of your data model can also adversely effect performance. Whats the time span youre searching over? If you adjust the timespan down, how does it effect the search performance?</P> Mon, 29 Jan 2018 08:08:49 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329838#M5945 esix_splunk 2018-01-29T08:08:49Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329839#M5946 <P>Yes, the data model is accelerated for last 30 days. <BR /> Indexers are ok in terms of resources, this slowness is consistent and query takes same time to run across the day. <BR /> I am searching for "Yesterday". The event count I mentioned(12 M) is for 1 day. The logs are in key value formatl</P> Mon, 29 Jan 2018 08:54:31 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329839#M5946 vaibhavagg2006 2018-01-29T08:54:31Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329840#M5947 <P>Did you confirm that the data is actually accelerated via MC or DM Audit Dashboard? This is a key thing to confirm. If your data model acceleration is not completing or working properly, then your tstats search just search against the raw data, which would give you a search time similar to normal search performance.</P> <P>Whats the base search of your data models look like? </P> <P>Can you check search log and see where the most process time is spent?</P> Mon, 29 Jan 2018 09:10:14 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329840#M5947 esix_splunk 2018-01-29T09:10:14Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329841#M5948 <P>Yes, I checked the acceleration is fine.<BR /> It is taking maximum time in "command.tstats" and then "dispatch.stream.remote". Under "command.tstats" most of the time is taken by "command.tstats.query_tsidx"<BR /> Just curious what is invocations in the job inspector. It says 623 for "Command.tstats" and around 25 for each indexer.</P> Mon, 29 Jan 2018 11:48:44 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329841#M5948 vaibhavagg2006 2018-01-29T11:48:44Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329842#M5949 <P>Is that streaming command equally spread across your indexers, or do you have one or two indexers that are taking longer then others?</P> <P>Dispatch stream taking a lot of time could reflect indexer performance issues, especially around I/o. How are your normal searches running? What if you run tstats against the index instead of the DM. </P> <P>Circling back to the data model, what kind of events are fitting into the DM? And what’s the base search look like?</P> Mon, 29 Jan 2018 12:53:33 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329842#M5949 esix_splunk 2018-01-29T12:53:33Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329843#M5950 <P>Yes the streaming command is equally spread. All the indexers and almost taking equal time.</P> <P>My base search looks like something below ::<BR /> "index=idx1 (sourcetype=abc transactionID=<EM>) OR (sourcetype=xyz ("some search string") ) OR (sourcetype=blah (*search string</EM>))"</P> <P>Also i tried to run normal index search vs tstats against accelerated data model for same set of data.<BR /> The response time is 168 seconds vs 138 seconds.<BR /> Event count:-19,821,855</P> <P>Not able to run tstats against the index as I dont have indexed fields on which I am trying to group by</P> Tue, 29 Sep 2020 17:58:12 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329843#M5950 vaibhavagg2006 2020-09-29T17:58:12Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329844#M5951 <P>If the datamodel is accelerated, you can use <CODE>summariesonly=t</CODE> to only search the accelerated data:</P> <PRE><CODE>|tstats summariesonly=t count from datamodel=mydatamodel where (nodename=mydatamodel.logs) (mydatamodel.tag=prod) groupby "mydatamodel.transactionID" </CODE></PRE> <P>This should result in a faster search.</P> Wed, 07 Feb 2018 14:30:08 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329844#M5951 micahkemp 2018-02-07T14:30:08Z https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329845#M5952 <P>Did you get an answer to your question above as i am also have performance issues with | tstats</P> Fri, 02 Nov 2018 14:42:53 GMT https://community.splunk.com/t5/Reporting/Why-is-the-accelerated-Data-Model-performing-slow/m-p/329845#M5952 robertlynch2020 2018-11-02T14:42:53Z