Solved: Re: Data Acceleration Frequency

petermuller · ‎03-18-2014

In the documentation here, it says that the the data will update every ten minutes once an accelerated report summary is initially created and completed. When handling many searches, I can see this potentially being a problem if all searches are run at the same time.

Is it possible to edit the frequency at which the data gets updated, or even better, to randomize that frequency so that there is smoother CPU usage than large spikes every ten minutes? I am unsure if this is actually the case, but I want to make sure that if I put this in a high stress environment, there will not be potentially crippling CPU spikes when it could possibly be prevented.

If you are currently using report acceleration, have you noticed the CPU usage because of it?

alacercogitatus · ‎03-18-2014

According to your link, you are refering to Data Acceleration, which is slightly different then Summary Indexing. Summary indexing (as configured as a saved search) would fire "every ten minutes" as you say, without a change in the cron. Data Acceleration is done "on a schedule", but I'm not sure I know what that is. I do know, in my ES instance, that any spikes are caused by saved searches, not the data acceleration searches. They seem to be more or less "randomly every 10 minutes".

Is this question a result of behaviour you are currently seeing, or behaviour you don't want to see in the future and try to avoid now?

View solution in original post

sansay · ‎05-07-2014

I have just come to the conclusion that search acceleration is indeed executed on a cron schedule. we see a strong spike of search activity every 10 minutes on the dot. And all the users are those who have created many accelerated searches.

Now I would really appreciate it if someone could tell us how we can randomize this activity. According to the doc, this is not controllable.

alacercogitatus · ‎03-18-2014

According to your link, you are refering to Data Acceleration, which is slightly different then Summary Indexing. Summary indexing (as configured as a saved search) would fire "every ten minutes" as you say, without a change in the cron. Data Acceleration is done "on a schedule", but I'm not sure I know what that is. I do know, in my ES instance, that any spikes are caused by saved searches, not the data acceleration searches. They seem to be more or less "randomly every 10 minutes".

Is this question a result of behaviour you are currently seeing, or behaviour you don't want to see in the future and try to avoid now?

petermuller · ‎03-18-2014

This would be something that I want to prevent in the future to ensure a smooth integration into an existing system. I was unsure if the 10 minutes was a strict time (like a cron job) to fire off every search at once, or if there was information of other behavior behind it to distribute the load.

I realize now that I have to do a scheduled search for summary indexing to be enabled. From what you say, is the interval at which I run the search the same interval that the data will be fed into the summary index? If so, I will edit my question to address the report acceleration instead.

Data Acceleration Frequency

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?