Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data Acceleration Frequency

petermuller
Explorer
‎03-18-2014 12:04 PM

In the documentation here, it says that the the data will update every ten minutes once an accelerated report summary is initially created and completed. When handling many searches, I can see this potentially being a problem if all searches are run at the same time.

Is it possible to edit the frequency at which the data gets updated, or even better, to randomize that frequency so that there is smoother CPU usage than large spikes every ten minutes? I am unsure if this is actually the case, but I want to make sure that if I put this in a high stress environment, there will not be potentially crippling CPU spikes when it could possibly be prevented.

If you are currently using report acceleration, have you noticed the CPU usage because of it?

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-18-2014 12:35 PM

According to your link, you are refering to Data Acceleration, which is slightly different then Summary Indexing. Summary indexing (as configured as a saved search) would fire "every ten minutes" as you say, without a change in the cron. Data Acceleration is done "on a schedule", but I'm not sure I know what that is. I do know, in my ES instance, that any spikes are caused by saved searches, not the data acceleration searches. They seem to be more or less "randomly every 10 minutes".

Is this question a result of behaviour you are currently seeing, or behaviour you don't want to see in the future and try to avoid now?

View solution in original post

Reply
Solved! Jump to solution

sansay
Contributor
‎05-07-2014 04:34 PM

I have just come to the conclusion that search acceleration is indeed executed on a cron schedule. we see a strong spike of search activity every 10 minutes on the dot. And all the users are those who have created many accelerated searches.

Now I would really appreciate it if someone could tell us how we can randomize this activity. According to the doc, this is not controllable.

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎03-18-2014 12:35 PM

According to your link, you are refering to Data Acceleration, which is slightly different then Summary Indexing. Summary indexing (as configured as a saved search) would fire "every ten minutes" as you say, without a change in the cron. Data Acceleration is done "on a schedule", but I'm not sure I know what that is. I do know, in my ES instance, that any spikes are caused by saved searches, not the data acceleration searches. They seem to be more or less "randomly every 10 minutes".

Is this question a result of behaviour you are currently seeing, or behaviour you don't want to see in the future and try to avoid now?

Reply
Solved! Jump to solution

petermuller
Explorer
‎03-18-2014 03:56 PM

This would be something that I want to prevent in the future to ensure a smooth integration into an existing system. I was unsure if the 10 minutes was a strict time (like a cron job) to fire off every search at once, or if there was information of other behavior behind it to distribute the load.

I realize now that I have to do a scheduled search for summary indexing to be enabled. From what you say, is the interval at which I run the search the same interval that the data will be fed into the summary index? If so, I will edit my question to address the report acceleration instead.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...