Report Acceleration Repurposing?

Path Finder


I'm used to working with summary indexes and tonight I thought I'd noodle with accelerated searches. My first search looked like this:

sourcetype="cisco_ips_syslog" | stats count by dest_ip

If a subsequent search is:

sourcetype="cisco_ips_syslog" dest_ip="" | stats count by dest_ip

Will it pull from the accelerated search or will it pull from the raw data? Secondly, if my search is:

 sourcetype="cisco_ips_syslog" dest_ip="" | timechart span=1d count by dest_ip

Will THAT pull from the accelerated search or from the raw data?


Tags (1)


I'd say that's by design - a search can only use a report acceleration if its accelerate-able part matches the accelerated search's part.

For the first example you can put the filter by dest_ip after the stats count by dest_ip. Whether that's faster than just running the search by itself depends on the distribution of data.

The second example cannot really work because the acceleration itself does not need daily timespans, so it likely will not have exact per-day information available.

You can turn things around - accelerate a timechart, and post-process the results you need from that.

0 Karma


I've tried this myself and unfortunately doesn't seem to work if you include extra search options within in the base search.

I was looking to use report acceleration as a nicer "automatically" managed way to generate pre-report statistics.

I can't seem to nut out any way into which I can put an extra search definition into the most efficient search location (before the pipe) and have it access the report acceleration summary data.

0 Karma

Ultra Champion


Do we have a verdict?


0 Karma

Splunk Employee
Splunk Employee

My understanding is that searches that draw from the same pool of data before applying transformations will use the same summary. What that means is, as long as the part of the search before the first pipe remains the same as your accelerated search, you can change what follows and still have it be used by the summary. By that logic, neither of the two searches you provide above would qualify to use the summary created for the accelerated search. But this search might:

sourcetype="cisco_ips_syslog" |  timechart span=1d count by dest_ip

Of course the best way to find out is to do as martin_mueller suggests in the preceding answer. Run the searches, accelerate them, and see if they get their own summary or are added to the existing summary.


Set up the accelerated search, wait until it's built, run the other two searches, inspect for using summary or not.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...