Prior to updating to Splunk Enterprise 8.0.2 scheduled accelerated reports ran extremely fast:
Record count: 314
After updating to Splunk Enterprise 8.0.2 the report ran extremely slow:
Record count: 300
Given the patch notes for 8.0.2 – I'm not seeing any changes to acceleration or summary indexing, so is it safe to assume this is a fluke?
The massive increase in report generation (job) time of the scheduled accelerated reports appears to be caused by them no longer accessing the corresponding report acceleration summary. The "Access Count" never goes up when the scheduled reports are run.
Guess we'll wait for 8.0.3 to fix this.
Troubleshooting steps attempted:
Manually rebuild Report Acceleration Summaries
Delete all affected Report Acceleration Summaries
Delete and recreate affected production reports – recreated schedule and checked box for acceleration
Check filesystem permissions of inputlookup csv - confirmed
-rw-rw-r-- splunk splunk
Version 8.0.1 was used prior to the issue starting after upgrading to 8.0.2. The
inputlookup function used is
[| inputlookup filename.csv | fields name1 | rename name1 as my_search_value | format] and comes after
index=index_name in the search query.
"It appears you do not have an active Support Contract or entitlement and as a result, cannot open a Support case. If you believe this is an error, please contact 1-855-SPLUNK S, or consult https://www.splunk.com/en_us/about-us/contact.html#customer-support for a country specific Support phone number and we can resolve any contractual data integrity issues."
So I did this, search 1:
index=_internal | stats count by _time
index=_internal | stats count by _time | inputlookup append=true rest_api_test.csv
Report acceleration confirms they will both use the same acceleration job.
When I run the reports they advise they both used the same acceleration job.
So did not replicate it, is that similar to what you are doing?
Schedule the second search you created to run at some interval and see if the "Access Count" number increases after each scheduled report runs. In my case, the count doesn't go up and the report generates slowly – despite showing that it is using the acceleration (summary) index on the Report Acceleration Summaries page.
Sorry I do not have good news, basically embedded subsearches + newer Splunk versions + report acceleration do not work together, I believe it relates to fixing a previous issue...
The fix will come in a future version but no ETA so I cannot help further!
The only solution is to not have embedded sub searches....or don't accelerate 🙂