Reporting

Should we move from summary indexes to report accelerations?

Ultra Champion

In the past couple of years our team put lots of efforts in creating summary indexes for various teams in the company. Now we merged with another team that would like to convert these summary indexes to report accelerations. The primary concern with summary indexes is the fact that they can lose their integrity easily and it’s a manual effort which requires precision work to restore the integrity. The interesting thing is that now we move our infrastructure to very stable farm, all physical machines that don’t have the issues of resource contention on the VMs and all the instability it entails.

Does it make sense to consider moving to report accelerations? Does report acceleration provide an equivalent solution to a summary index? Are report accelerations easier to maintain?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

In addition to the answers post listed above, I recommend Overview of summary-based search acceleration in the Knowledge Manager Manual. It describes report acceleration, data model acceleration, and summary indexing in detail, with a "When should I use...?" section for each.

View solution in original post

Splunk Employee
Splunk Employee

In addition to the answers post listed above, I recommend Overview of summary-based search acceleration in the Knowledge Manager Manual. It describes report acceleration, data model acceleration, and summary indexing in detail, with a "When should I use...?" section for each.

View solution in original post

Ultra Champion

Great!!

Under - When should I use summary indexing?

-- The primary report you want to accelerate includes nonstreamable commands before a transforming command

Any example maybe?

-- You would like to run any report against a particular summary index,...

We do it all the time with summary indexes .....

-- Your raw data rolls more frequently than your reporting window (e.g. your retention policy is 6 months but you want to power a panel in a dashboard from data for the last year).

Not clear on that.

0 Karma

Esteemed Legend

Don't worry about the 1st bullet point just create a search and try to accelerate the report if it fails you are in that boat.

The 2nd bullet point just means that if you have summary index data already and run a report against that, you cannot accelerate that report because SI data is special as far as its indexing and cannot be accelerated.

The third one means that SI is a copy (separate summary) of the raw data and can outlive it but accelerated reports are indices that point to the raw data and expire alongside it.

Champion

Ultra Champion

The comparison by @woodcock says -

-- Splunk Report Acceleration
Increases performance ~2-5x.

-- Splunk Summary Index
Astronomical increases in performance are possible

Does it mean that Summary Index, when done right, is much faster than Report Acceleration?

0 Karma

Esteemed Legend

Yes, SI can have multiple layers of rollup. Raw->Daily, then Daily->Monthly, then Monthly->Yearly, and so on, and you shed all the events from the lower layer(s).

Ultra Champion

Interesting @woodcock.

The documentation implies, the way I read it, that SI is the "legacy" way while report acceleration is the "new" way of doing things.

0 Karma

Ultra Champion

Excellent thread.

0 Karma