Reporting

Splunk 8.0.2 report acceleration broken for reports using inputlookup command in subsearches

orion44
Communicator

Prior to updating to Splunk Enterprise 8.0.2 scheduled accelerated reports ran extremely fast:
Report A
Duration: 37.166
Record count: 314

After updating to Splunk Enterprise 8.0.2 the report ran extremely slow:
Report A
Duration: 418.621
Record count: 300

Given the patch notes for 8.0.2 – I'm not seeing any changes to acceleration or summary indexing, so is it safe to assume this is a fluke?

The massive increase in report generation (job) time of the scheduled accelerated reports appears to be caused by them no longer accessing the corresponding report acceleration summary. The "Access Count" never goes up when the scheduled reports are run.

alt text

Guess we'll wait for 8.0.3 to fix this.

Troubleshooting steps attempted:
Manually rebuild Report Acceleration Summaries
Delete all affected Report Acceleration Summaries
Delete and recreate affected production reports – recreated schedule and checked box for acceleration
Check filesystem permissions of inputlookup csv - confirmed -rw-rw-r-- splunk splunk

Labels (2)
0 Karma

orion44
Communicator

Neither is a solution (smiley face emoji) so I'll just keep bumping the issue periodically to attract attention. The reason we migrated to embedded subsearches was to stop hardcoding variables into a report. Definitely not rolling that back.

0 Karma

orion44
Communicator

@nvanderwalt_spl can we get a SPL ticket assigned for this? Staring at "Finalizing job..." all day long isn't working out as a solution.

The updates to limits.conf below to alleviate the search performance degradation caused by the workaround "phased_execution_mode = singlethreaded" still result in "Finalizing job..." in the GUI.

 

limits.conf

[search]
phased_execution_mode = singlethreaded
result_queue_max_size = 400000000
max_chunk_queue_size = 10000000
remote_timeline_fetchall = 0
fetch_remote_search_log = disabled

0 Karma

orion44
Communicator

When is this issue getting fixed?

0 Karma

orion44
Communicator

Never, stop asking.

0 Karma

codebuilder
Influencer

Did you migrate the scheduled report or recreate it?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

orion44
Communicator

Total delete and recreate the report, schedule, acceleration, and the corresponding report acceleration summary.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...