Splunk Search

Does accelerated searching cache data so it's faster to load that dashboard later?

skoelpin
SplunkTrust
SplunkTrust

I currently have a dashboard with 24 panels on it. I went ahead and set each report/panel to accelerated and also put it in fast mode.

All of the panels are set for 'Year to Date' and some of the panels will have more than 50 million matches each. So will the accelerated searching cache the historic data so it's faster to load that dashboard later?

If accelerated searching does cache my historic data, then would I have to wait for the data to be 100% loaded for it to be successfully cached or could it be partially loaded then come back to it later and have what was cached so far?

0 Karma
1 Solution

masonmorales
Influencer

Honestly, probably not. Fast mode is going to be ignored anyway because all dashboards run searches in fast mode by default. Too much report acceleration can actually be detrimental to Splunk performance because each one you add consumes additional CPU cycles.

At 50 million events, I am going to assume you aren't displaying raw events, in which case you will probably want to implement summary indexing. Summary indexing is your best option for improving the load time of your dashboard. Here are some resources:

http://wiki.splunk.com/Community:Summary_Indexing
http://www.splunk.com/view/SP-CAAACZW

View solution in original post

masonmorales
Influencer

Honestly, probably not. Fast mode is going to be ignored anyway because all dashboards run searches in fast mode by default. Too much report acceleration can actually be detrimental to Splunk performance because each one you add consumes additional CPU cycles.

At 50 million events, I am going to assume you aren't displaying raw events, in which case you will probably want to implement summary indexing. Summary indexing is your best option for improving the load time of your dashboard. Here are some resources:

http://wiki.splunk.com/Community:Summary_Indexing
http://www.splunk.com/view/SP-CAAACZW

skoelpin
SplunkTrust
SplunkTrust

I'm using a transforming search (chart) which takes hits on our website and creates a sparkline chart. So would accelerated searching be beneficial for this or would summary indexing be a better option?

Also once all 24 dashboards are loaded up at 100%, will it be much faster to load historical data?

0 Karma

masonmorales
Influencer

Yes, it will load historical data much faster. The only disadvantage to summary indexing is that historical data is only available from the point which you started summary indexing. I would encourage you to read-up on both technologies to determine which one is best suited to your environment and use cases.

Another thing you might want to look into, is that if some of your searches are very similar you can use post-processing to improve efficiency. See: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Savedsearches#Post-process_searches

0 Karma

ChrisG
Splunk Employee
Splunk Employee

It doesn't cache it, it builds a summary of the data and runs the report against that. Only reports that include transforming commands (such as chart, timechart, stats, and top) qualify for report acceleration.

See How reports qualify for report acceleration in the Reporting Manual for more information.

Also see the introductory topic about report acceleration in the Knowledge Manager Manual for background about what report acceleration does and how it works.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...