I updated our Splunk instance to 8.0.4.1 from 8.01 today and this issue is not resolved. The patch notes (https://docs.splunk.com/Documentation/Splunk/8.0.4/ReleaseNotes/Fixedissues#Splunk_Enterprise_8.0.4....) indicate  SPL-184327 was supposed to be fixed in 8.0.4.

As noted in the original issue,  report acceleration is not working correctly for reports using inputlookup command (example: csv input) in subsearches. Due to this, report generation (of the affected reports) is exponentially longer.

Any chance this issue can be reviewed for a future Splunk update?

The previously described workaround of adding phased_execution_mode = singlethreaded to the [search] stanza in limits.conf helps alleviate the issue, but leads to other performance issues – such as jobs stuck at "Finalizing..." in the GUI.

I tested:

index=_internal earliest=-1m
| stats count by _time
| append [inputlookup test.csv ]

In 8.0.4.1 as that failed in the previously mentioned version, but it worked just fine, it correctly found the report acceleration and mentioned that summary id's were found when I ran the search.

I'm assuming your example is more complicated, I'm on default settings and I cannot replicate this one anymore...

Outside of the previously described workaround, my *.conf files are in the default state.

The csv in my example is just a list of specific identifiers (simple integers) that are referenced in the inputlookup function in the search below:

index="myindex" [| inputlookup input.csv | fields id | rename id as ID | format]
| fields NAME ID
| stats count(RECORD) as "Record" by NAME _time | dedup NAME sortby _time | rename NAME as "Username" | where _time>=relative_time(now(), "-2d@h") AND _time<=relative_time(now(), "@h") | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") | table "Record" mytime | outputcsv export.csv

I replicated it and confirmed that the limits.conf change does fix the issue (again)

FYI I did:

| makeresults count=10 | streamstats count | eval id=count | outputlookup input.csv

and my report is:

index="_internal" [| inputlookup input.csv | fields id | rename id as linecount | format]
| fields component linecount
| stats count as "Record" by component _time | dedup component sortby _time | rename component as "Username" | where _time>=relative_time(now(), "-2d@h") AND _time<=relative_time(now(), "@h") | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") | table "Record" mytime | outputcsv export.csv

I'm glad to hear you were able to reproduce the issue. The previously mentioned workaround is acceptable as a short-term solution – how it's causing other search-related performance issues, so a long-term  fix would be greatly appreciated.

@gjanders Has this been assigned an SPL issue number yet?

Not yet

When can we expect one to be assigned? The workaround is a not a solution due to the report generation performance impact.

Currently it is waiting on the development team, no updates from support yet but I have checked in just in case

Using the workaround of 

# add to  limits.conf
[search]
phasedexecutionmode = singlethreaded

Leads to searches stuck at "Finalizing job... " in the GUI. 

After consulting old posts, I tried another workaround of 

# add to limits.conf
[search]
remote_timeline_fetchall = 0

However this had no impact. Are there any other workarounds I can try?

Fantastic news, thanks!

No problem, perhaps accept so this is closed off?

Sure, done.

Outside of the inputlookup command the search itself is irrelevant. Once I remove the reference to inputlookup command from the search and hardcode a few examples from the csv – the search accelerates as expected.