Splunk Search

similar searches using report acceleration

aaronkorn
Splunk Employee
Splunk Employee

Hello,

We have one search search that pulls back a large set of data for 30 days and is accelerated. In planning, I was under the assumption that Splunk would attempt to use the accelerated search to help speed up additional similar searches but it does not appear to.

Here is the original search:

index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia | timechart avg(ResponseTime) by TriggerName useother=f

But then In my dashboard I try to filter this down further on host, TriggerName, App, etc by passing in searches similar to the one accelerated through a drop down hoping that splunk would recognize it to be similar and to take advantage of the acceleration but it doesn't. For example one of my new searches would be: index=cerner host=h1* Application=powerchart TriggerName="USR:PWR-Application Startup" | timechart avg(ResponseTime) by TriggerName | addtotals. Still the same concept but just narrowed down. Essentially I was trying to make this dynamic without having to make 20+ saved accelerated searches.

Any ideas on how this could work or am i looking at it from the wrong angle?

Thanks!

0 Karma

dhorn
Path Finder

@aaronkorn I see you're using Splunk with Cerner. We are currently in the process of rolling out Splunk for infrastructure uses, but in the near future we will want to use Splunk with our EHR system (we will be switching to either Epic or Cerner in the next several months) and was hoping to chat with you about how you are using Splunk with Cerner. If you're willing, please email me as I'd greatly appreciate it! I'm really trying to push Splunk for this instead of adding another product such as FairWarning. My email is Derek.Horn@bhsi.com

Thanks!

0 Karma

mattness
Splunk Employee
Splunk Employee

Those two searches are too different to both use the same acceleration summary. If both searches started with

index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia

but were transformed in different ways, they could both use the same summary because they're essentially working off of the exact same dataset. I know the second search is essentially returning a subset of the information returned by the first one, but the current implementation of report acceleration will see them as working with two distinctly different datsets.

The docs around this aspect of report acceleration could probably be a bit clearer--as the primary doc writer on this topic I'll see what I can do.

mattness
Splunk Employee
Splunk Employee

Did you verify on the Report Acceleration Summaries page that this new search was using the same summary as the original? If this was the case but you added more arguments to the base search (more filters from the drop down or whatever) then maybe it's not accelerating because it needs to rebuild the summary to include the events that would be returned by those new filters.

0 Karma

aaronkorn
Splunk Employee
Splunk Employee

Thanks for the response. If my search was something like this index=cerner Application=powerchart OR Application=snsurginet OR Application=firstnet OR Application=phamedmgr OR Application=saanesthesia | timechart avg(ResponseTime) by TriggerName useother=f would that work? I gave it a shot and it said it looked familiar to my original accelerated search but it did not inherit the speed. Any ideas?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...