Prior to updating to Splunk Enterprise 8.0.2 scheduled accelerated reports ran extremely fast:
Record count: 314
After updating to Splunk Enterprise 8.0.2 the report ran extremely slow:
Record count: 300
Given the patch notes for 8.0.2 – I'm not seeing any changes to acceleration or summary indexing, so is it safe to assume this is a fluke?
The massive increase in report generation (job) time of the scheduled accelerated reports appears to be caused by them no longer accessing the corresponding report acceleration summary. The "Access Count" never goes up when the scheduled reports are run.
Guess we'll wait for 8.0.3 to fix this.
Troubleshooting steps attempted:
Manually rebuild Report Acceleration Summaries
Delete all affected Report Acceleration Summaries
Delete and recreate affected production reports – recreated schedule and checked box for acceleration
Check filesystem permissions of inputlookup csv - confirmed
-rw-rw-r-- splunk splunk
Neither is a solution (smiley face emoji) so I'll just keep bumping the issue periodically to attract attention. The reason we migrated to embedded subsearches was to stop hardcoding variables into a report. Definitely not rolling that back.
@nvanderwalt_spl can we get a SPL ticket assigned for this? Staring at "Finalizing job..." all day long isn't working out as a solution.
The updates to limits.conf below to alleviate the search performance degradation caused by the workaround "phased_execution_mode = singlethreaded" still result in "Finalizing job..." in the GUI.
phased_execution_mode = singlethreaded
result_queue_max_size = 400000000
max_chunk_queue_size = 10000000
remote_timeline_fetchall = 0
fetch_remote_search_log = disabled