Solved: Accelerated report: status = pending?

alexiri · ‎11-01-2012

Hi,

I've created a couple of accelerated reports and, after building the summary for a while, they're marked as Pending. What does this mean? It's not listed as one of the possible statuses in the documentation.

Also, how can I tell if my searches are using the summaries or not?

Cheers,
Alex

mattness · ‎11-01-2012

The "Pending" status means that the summary was last updated more than 10 minutes ago and is due to be updated again. It's basically saying that the information in the summary may be slightly outdated but will be up-to-date momentarily. Sorry this status was excluded; I'll get the docs updated.

The obvious clue that a search is using its summary is if you run it and find that its search performance has improved (it completes faster than it did before).

But if that's not enough, or if you aren't sure if there's a performance improvment, you can check the Search Job Inspector for a debug message that indicates that summaries are being used. Here's an example: DEBUG: [thething] Using summaries for search, summary_id=246B0E5B-A8A2-484E-840C-78CB43595A84_search_admin_b7a7b033b6a72b45, maxtimespan=

If you're running a search that is similar to one that you've already created a summary for you can click Turn on acceleration and if Splunk determines it is close enough to the other search it will run the new search against the other search's preexisting summary. On the Report Acceleration Summaries page in Manager you'll be able to see that both searches are being applied to the same summary. So that's one way to see exactly which searches use a particular summary.

View solution in original post

mattness · ‎11-01-2012

The "Pending" status means that the summary was last updated more than 10 minutes ago and is due to be updated again. It's basically saying that the information in the summary may be slightly outdated but will be up-to-date momentarily. Sorry this status was excluded; I'll get the docs updated.

The obvious clue that a search is using its summary is if you run it and find that its search performance has improved (it completes faster than it did before).

But if that's not enough, or if you aren't sure if there's a performance improvment, you can check the Search Job Inspector for a debug message that indicates that summaries are being used. Here's an example: DEBUG: [thething] Using summaries for search, summary_id=246B0E5B-A8A2-484E-840C-78CB43595A84_search_admin_b7a7b033b6a72b45, maxtimespan=

If you're running a search that is similar to one that you've already created a summary for you can click Turn on acceleration and if Splunk determines it is close enough to the other search it will run the new search against the other search's preexisting summary. On the Report Acceleration Summaries page in Manager you'll be able to see that both searches are being applied to the same summary. So that's one way to see exactly which searches use a particular summary.

ChrisG · ‎11-09-2012

Docs are updated with this info, http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Manageacceleratedsearchsummaries#Use_the_R.... Thanks, mattness!

Accelerated report: status = pending?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?