Reporting

one of two reports won't accelerate

RVDowning
Contributor

I have two reports which are identical with the exception of the earliest modifier. One has earliest="8/22/2014:00:00:00" , the other earliest=-6months. (The names of the reports are also different.)

The former works as expected. I can't get the latter one to accelerate. In Report Acceleration Summaries the one that works says "Pending Updated: 31m ago" and the one that doesn't work says "Building summary - 0% Updated: Never" and that status never changes. I've tried the Rebuild option under the Summary ID and also the Rebuild option under the Normalized Summary ID, but can't seem to get it to work.

Any ideas?

Tags (1)
0 Karma

lguinn2
Legend

There are several valid reasons that this could happen.

If the search returns less than 100K events, Splunk will not create the acceleration summary - it's faster for Splunk to do the search as needed. If the number of events grows to greater than 100K, Splunk will then create the summary. I think this is the most likely reason.

Look at Manage Report Acceleration for more ideas.

0 Karma

RVDowning
Contributor

Given that it selected 16,103,292 events I don't think that this is the issue. The one that does work selected 16,943,827 events.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...