I wanted to make a search - report accelerated.
Search query :
index=*| chart count over host by tag::action usenull=false
Summary span i set is 1 day
I get 81k events results for this search. So, wont this be accelerated , since it fails to meet 100K events .
Conditions:
The number of events in the hot bucket covered by the chosen Summary Range must be equal to or greater than 100k. You will see a Summary Status warning that says Not enough data to summarize when this condition exists.
Please advise.
Hi @splunker12er
So in the documentation right above the condition you pasted, it says:
"Splunk Enterprise generates or updates a summary for a report only when the data you want it to summarize meets the following conditions:"
This means that in order for your report to be accelerated, it has to to meet the condition "The number of events in the hot bucket covered by the chosen Summary Range must be equal to or greater than 100k...."
So only having 81k results means you are currently not meeting the requirement, so your report will not be accelerated. Does that make sense? I've brought this up to documentation folks for clarification.
I am not exactly clear in this concept. Because,
One of report which i scheduled, returns only 59 events, but this report got accelerated.
But , the other (which i mentioned in my query, returns 81K events) didn't .
Is the document mean , the no. of events resulted for a search query should be >=100K , for the report acceleration to happen ?.
Then in my case it didn't happened as expected.
Any advise on my doubt is much appreciated.