Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk 8.0.2 report acceleration broken for reports using inputlookup command in subsearches

orion44
Communicator
‎02-14-2020 12:20 AM

Prior to updating to Splunk Enterprise 8.0.2 scheduled accelerated reports ran extremely fast:
Report A
Duration: 37.166
Record count: 314

After updating to Splunk Enterprise 8.0.2 the report ran extremely slow:
Report A
Duration: 418.621
Record count: 300

Given the patch notes for 8.0.2 – I'm not seeing any changes to acceleration or summary indexing, so is it safe to assume this is a fluke?

The massive increase in report generation (job) time of the scheduled accelerated reports appears to be caused by them no longer accessing the corresponding report acceleration summary. The "Access Count" never goes up when the scheduled reports are run.

alt text

Guess we'll wait for 8.0.3 to fix this.

Troubleshooting steps attempted:
Manually rebuild Report Acceleration Summaries
Delete all affected Report Acceleration Summaries
Delete and recreate affected production reports – recreated schedule and checked box for acceleration
Check filesystem permissions of inputlookup csv - confirmed -rw-rw-r-- splunk splunk

Labels (2)
Preview file
1 KB
0 Karma
Reply

orion44
Communicator
‎09-04-2020 12:42 PM

Neither is a solution (smiley face emoji) so I'll just keep bumping the issue periodically to attract attention. The reason we migrated to embedded subsearches was to stop hardcoding variables into a report. Definitely not rolling that back.

0 Karma
Reply

orion44
Communicator
‎09-12-2020 02:58 PM

@nvanderwalt_spl can we get a SPL ticket assigned for this? Staring at "Finalizing job..." all day long isn't working out as a solution.

The updates to limits.conf below to alleviate the search performance degradation caused by the workaround "phased_execution_mode = singlethreaded" still result in "Finalizing job..." in the GUI.

 

limits.conf

[search]
phased_execution_mode = singlethreaded
result_queue_max_size = 400000000
max_chunk_queue_size = 10000000
remote_timeline_fetchall = 0
fetch_remote_search_log = disabled

0 Karma
Reply

orion44
Communicator
‎02-04-2021 11:56 AM

When is this issue getting fixed?

0 Karma
Reply

orion44
Communicator
‎07-23-2021 02:04 PM

Never, stop asking.

0 Karma
Reply

codebuilder
Influencer
‎02-14-2020 12:47 PM

Did you migrate the scheduled report or recreate it?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

orion44
Communicator
‎02-14-2020 01:21 PM

Total delete and recreate the report, schedule, acceleration, and the corresponding report acceleration summary.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...