Reporting

BUG: searchTemplate in a form can not use report acceleration?

laserval
Communicator

I have a form dashboard in SimpleXML that has a searchTemplate that references a saved search, but does some extra processing on top of it using a text input:

<searchTemplate> 
    | savedsearch "Fancy Accelerated Search" 
    | search area=$area$ 
    | streamstats dc(object_id) as objects by date_wday type 
</searchTemplate>
<fieldset>
    <input type="text" token="area">
    </input>
</fieldset>

This gives a distinct count over time, by day, for a specific "area" of objects. I then have charts that use searchPostProcess to do some filtering and charting of the results from the saved search:

<searchPostProcess> where type="package" | timechart max(objects)</searchPostProcess>

And this gives a kind of sawtooth-pattern graph.

So the problem is that the search performed by the dashboard and triggering the search by clicking the magnifying glass in the bottom of the chart panel won't take the same amount of time. At all!

The search in the dashboard does not use the accelerated report from the searchTemplate, resulting in much slower searches. Triggering the search by clicking the magnifying glass and running that in the Search UI does use the summary (I've checked with the Job Inspector that a summary_id was referenced).

  • Is it possible to use acceleration of a saved search in a searchTemplate with searchPostProcess?
1 Solution

sajbutler
Path Finder

I have heard back from Splunk Support about this.

This issue has been identified as SPL-88017: Report acceleration will not be used when post process search is used in the dashboard.

This bug has been resolved in development and the fix will be released in version 6.1.4.

Not long to go!!!

Edit 1st Oct 2014: I have just downloaded 6.1.4 and can confirm that report acceleration does now work with search templates.

View solution in original post

sajbutler
Path Finder

I have heard back from Splunk Support about this.

This issue has been identified as SPL-88017: Report acceleration will not be used when post process search is used in the dashboard.

This bug has been resolved in development and the fix will be released in version 6.1.4.

Not long to go!!!

Edit 1st Oct 2014: I have just downloaded 6.1.4 and can confirm that report acceleration does now work with search templates.

alexiri
Communicator

Great news, thanks for letting me know! I'm still waiting for an answer from support for more than a month...

0 Karma

alexiri
Communicator

Hi @sajbutler, I have a support ticket opened for it but I have yet to hear back as to whether they confirm it as a bug or not. I think it is, I have a pretty clear reproducer for it...

0 Karma

sajbutler
Path Finder

Hi @laserval and @alexiri, I'm also experiencing the same issue, did you ever get to the bottom of it?

0 Karma

alexiri
Communicator

Hi @laserval, I'm seeing this exact same problem, did you ever figure out how to solve it? Did you open a support request about it?

0 Karma

laserval
Communicator

Is your dashboard in the same app as the report acceleration?

Yes. I'm seeing the same effect with a different report and dashboard, as well.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Is your dashboard in the same app as the report acceleration?

0 Karma

laserval
Communicator

Additionally, make sure both search strings really are identical in the search job inspector.

The search strings I write are identical, but I suspect they result in different searches when parsed by Splunk. What I'm wondering is if it's possible to use report acceleration for the searchTemplate part of a form search, when having a postProcess after it.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For debugging, take a look at the search job launched by your dashboard and compare it to the search job launched from the search UI. If a search is accelerated you'll see something like "using summary foo" at the top.

Additionally, make sure both search strings really are identical in the search job inspector.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...