We are trying to use accelerated search for a saved search which has an issue with performance - it is taking several minutes to execute. It seems there is a 100k hot bucket event threshold that must be met before Splunk triggers an accelerated search to be performed. Otherwise, the Manager > Report Acceleration Summaries page displays the not enough data to summarize in the Summary Status.
This 100k event threshold is probably valid for most cases, but in our case we just want to cut down the amount of time it takes to retrieve our results - regardless of the number of events in the hot bucket summary range. Is there some configuration point (.conf) where we can control the 100k imposed limit? Storage size is not a concern for us, so this limit seems a little harsh when the execution time is so long.
We'd like to avoid the summary index if possible since there are issues with its reliability (gap support when splunkd is down, etc.) and backfill command overhead.
... View more