Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Should accelerated reports always be scheduled?

kiril123
Path Finder
‎09-26-2017 03:20 AM

I have created an accelerated report with a summary range of 1 day. Should i also schedule this report with the cron schedule to run lets say hourly?

If accelerated report is not scheduled, how splunk is going to build summary in this case?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎09-26-2017 04:10 AM

Report Acceleration need not be scheduled (looks like splunk internally manages this scheduling part).

more on Report Acceleration -
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Manageacceleratedsearchsummaries

from Splunk Operational Intelligence Cookbook
By Josh Diakun, Paul R Johnson, Derek Mock
alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-26-2017 12:41 PM

Hey @kiril123, if @inventsekar answered your question please don't forget to "Accept" his answer to award karma points and close the post. 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎09-26-2017 04:10 AM

Report Acceleration need not be scheduled (looks like splunk internally manages this scheduling part).

more on Report Acceleration -
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Manageacceleratedsearchsummaries

from Splunk Operational Intelligence Cookbook
By Josh Diakun, Paul R Johnson, Derek Mock
alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

kiril123
Path Finder
‎09-26-2017 04:17 AM

Thank you for your answer. Do you know how splunk builds the summary when the report is unscheduled? Does it run a job lets say every 5 min?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-26-2017 04:33 AM

How Splunk Enterprise builds report acceleration summaries
When you enable acceleration for an eligible report and Splunk Enterprise determines that it will build a summary for the report, it begins running the report to populate the summary with data. When the summary is complete, Splunk Enterprise continues running the report on a 10 minute interval to keep the summary up to date. Each update ensures that the entire configured time range is covered without a significant gap in data. This method of summary building also ensures that late-arriving data will be summarized without complication.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...