Reporting

one of two reports won't accelerate

RVDowning
Contributor

I have two reports which are identical with the exception of the earliest modifier. One has earliest="8/22/2014:00:00:00" , the other earliest=-6months. (The names of the reports are also different.)

The former works as expected. I can't get the latter one to accelerate. In Report Acceleration Summaries the one that works says "Pending Updated: 31m ago" and the one that doesn't work says "Building summary - 0% Updated: Never" and that status never changes. I've tried the Rebuild option under the Summary ID and also the Rebuild option under the Normalized Summary ID, but can't seem to get it to work.

Any ideas?

Tags (1)
0 Karma

lguinn2
Legend

There are several valid reasons that this could happen.

If the search returns less than 100K events, Splunk will not create the acceleration summary - it's faster for Splunk to do the search as needed. If the number of events grows to greater than 100K, Splunk will then create the summary. I think this is the most likely reason.

Look at Manage Report Acceleration for more ideas.

0 Karma

RVDowning
Contributor

Given that it selected 16,103,292 events I don't think that this is the issue. The one that does work selected 16,943,827 events.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...