Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Pivot loading splunk excessively ?

agneticdk
Path Finder
‎11-06-2013 02:12 AM

Hi

In the example in 6.0 on the audit log: Splunk's Internal Audit Logs - SAMPLE and looking on the pivot of "Audit" - Under the menu "Audit" in top right corner there is the Acceleration, Earliest and Started.

Earliest is when the splunk installation was done, because the data model is over "All time" (no earliest parameter defined). So thats a long way back. And now I can see the accelereation just chews away.

If I make my own data model without earliest paramter it will always take "All time" I guess.

I have to be very careful on my pivot datamodels, because if I create a few datamodels and grant access to those for lets say 10 people, when they start clicking around in the Pivot menus these acceleration searches will run for each user, on each table or chart ? Resulting in my search head and indexers doing a lot of work, as it will continue running until either the search times out or finishes on "All time", for each user ?

One way to limit this is to grant users only access to a limited timeframe, or by adding "earliest" to my datamodel.

Any comments ?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎11-06-2013 08:26 AM

The acceleration searches should run only once for each user's session in the pivot interface, they do not need to be re-run for each table and chart that is created. And they should expire soon after each user stops using the pivot interface. I wouldn't expect the load on the search head to be much different than from 10 users running searches over all time in the search interface.

Another way to limit the load would be to accelerate the data model. Then all users of pivot are actually sharing the results of a single acceleration search.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎11-06-2013 08:26 AM

The acceleration searches should run only once for each user's session in the pivot interface, they do not need to be re-run for each table and chart that is created. And they should expire soon after each user stops using the pivot interface. I wouldn't expect the load on the search head to be much different than from 10 users running searches over all time in the search interface.

Another way to limit the load would be to accelerate the data model. Then all users of pivot are actually sharing the results of a single acceleration search.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...