Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does accelerated searching cache data so it's faster to load that dashboard later?

skoelpin
SplunkTrust
SplunkTrust
‎03-30-2015 01:16 PM

I currently have a dashboard with 24 panels on it. I went ahead and set each report/panel to accelerated and also put it in fast mode.

All of the panels are set for 'Year to Date' and some of the panels will have more than 50 million matches each. So will the accelerated searching cache the historic data so it's faster to load that dashboard later?

If accelerated searching does cache my historic data, then would I have to wait for the data to be 100% loaded for it to be successfully cached or could it be partially loaded then come back to it later and have what was cached so far?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-30-2015 01:35 PM

Honestly, probably not. Fast mode is going to be ignored anyway because all dashboards run searches in fast mode by default. Too much report acceleration can actually be detrimental to Splunk performance because each one you add consumes additional CPU cycles.

At 50 million events, I am going to assume you aren't displaying raw events, in which case you will probably want to implement summary indexing. Summary indexing is your best option for improving the load time of your dashboard. Here are some resources:

http://wiki.splunk.com/Community:Summary_Indexing
http://www.splunk.com/view/SP-CAAACZW

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎03-30-2015 01:35 PM

Honestly, probably not. Fast mode is going to be ignored anyway because all dashboards run searches in fast mode by default. Too much report acceleration can actually be detrimental to Splunk performance because each one you add consumes additional CPU cycles.

At 50 million events, I am going to assume you aren't displaying raw events, in which case you will probably want to implement summary indexing. Summary indexing is your best option for improving the load time of your dashboard. Here are some resources:

http://wiki.splunk.com/Community:Summary_Indexing
http://www.splunk.com/view/SP-CAAACZW

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-30-2015 01:53 PM

I'm using a transforming search (chart) which takes hits on our website and creates a sparkline chart. So would accelerated searching be beneficial for this or would summary indexing be a better option?

Also once all 24 dashboards are loaded up at 100%, will it be much faster to load historical data?

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎03-30-2015 02:00 PM

Yes, it will load historical data much faster. The only disadvantage to summary indexing is that historical data is only available from the point which you started summary indexing. I would encourage you to read-up on both technologies to determine which one is best suited to your environment and use cases.

Another thing you might want to look into, is that if some of your searches are very similar you can use post-processing to improve efficiency. See: http://docs.splunk.com/Documentation/Splunk/6.2.2/Viz/Savedsearches#Post-process_searches

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎03-30-2015 01:31 PM

It doesn't cache it, it builds a summary of the data and runs the report against that. Only reports that include transforming commands (such as chart, timechart, stats, and top) qualify for report acceleration.

See How reports qualify for report acceleration in the Reporting Manual for more information.

Also see the introductory topic about report acceleration in the Knowledge Manager Manual for background about what report acceleration does and how it works.

Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...