Monitoring Splunk

When enabling a summary index, why am I getting "This search cannot be accelerated"?

skoelpin
SplunkTrust
SplunkTrust

I set up a dashboard for the marketing team to track analytics using a pivot command. I have about 25 dashboards which have to search through massive amounts of data and the performance is poor. I'm trying to set up a summary index to index this data every hour to enhance search performance. When I enable a summary index I'm getting This search cannot be accelerated. I'm assuming this is due to not having the si on my transformation command. Can anyone help me with this? Below is my search

| pivot RTGSearchAnalytics Hits count(Hits) AS "Count of Hits" SPLITROW SEARCH_TERMS_OUT AS Terms SPLITCOL REGION FILTER SITE is rtgAdults FILTER IS_BOT is false FILTER UserLocation is External SORT 0 SEARCH_TERMS_OUT ROWSUMMARY 1 COLSUMMARY 1 NUMCOLS 0 SHOWOTHER 1 | sort 0 - ALL
0 Karma
1 Solution

woodcock
Esteemed Legend

Let me go into more detail as to the difference.

Splunk acceleration:

  • Increases performance ~2-5x.
  • Automatically preforms backfill.
  • Drilldown to raw data still works.
  • Speeds up a search by creating additional TSIDX mappings into the raw data.
  • Is incredibly robust and requires no housekeeping.
  • Is insensitive to TimeZone and the user who enabled the acceleration.
  • Has a minor "always-on" impact to Indexers and consumes a small amount of disk space but no license.
  • Does not require any conversion (just click the checkbox and you are done).
  • Replaces this question:

    Is there *possibly* a match for my data in this bucket?
    

    With this question:

    Is there definitely a match for my data in this bucket?

    Splunk Summary Index:

  • Astronomical increases in performance are possible (but, if you do it wrong, things can actually be slower).

  • Admin must manually preform backfill.

  • Drilldown to raw data no longer works (must do Advanced dashboard programming to force it to switch back to raw data).

  • Is somewhat fragile and requires reactive housekeeping (many things can cause SI data outages).

  • Is sensitive to TimeZone and the user who runs the "Populating Search".

  • Has a minor "every-hour" impact to Indexers and consumes a small amount of disk space but no license.

  • Speeds up searches by replacing huge amounts of raw data with much smaller amounts of aggregate ("summarized") data in the Summary Index.

  • Requires a Admin to reverse-engineer the desired end-usage of the data in order to construct an appropriate "Populating Search" to do this conversion.

  • Requires that all existing KO uses of the raw data be manually converted (e.g. saved searches, macros, dashboard panels) to pull data from the SI instead of raw data.

View solution in original post

woodcock
Esteemed Legend

Let me go into more detail as to the difference.

Splunk acceleration:

  • Increases performance ~2-5x.
  • Automatically preforms backfill.
  • Drilldown to raw data still works.
  • Speeds up a search by creating additional TSIDX mappings into the raw data.
  • Is incredibly robust and requires no housekeeping.
  • Is insensitive to TimeZone and the user who enabled the acceleration.
  • Has a minor "always-on" impact to Indexers and consumes a small amount of disk space but no license.
  • Does not require any conversion (just click the checkbox and you are done).
  • Replaces this question:

    Is there *possibly* a match for my data in this bucket?
    

    With this question:

    Is there definitely a match for my data in this bucket?

    Splunk Summary Index:

  • Astronomical increases in performance are possible (but, if you do it wrong, things can actually be slower).

  • Admin must manually preform backfill.

  • Drilldown to raw data no longer works (must do Advanced dashboard programming to force it to switch back to raw data).

  • Is somewhat fragile and requires reactive housekeeping (many things can cause SI data outages).

  • Is sensitive to TimeZone and the user who runs the "Populating Search".

  • Has a minor "every-hour" impact to Indexers and consumes a small amount of disk space but no license.

  • Speeds up searches by replacing huge amounts of raw data with much smaller amounts of aggregate ("summarized") data in the Summary Index.

  • Requires a Admin to reverse-engineer the desired end-usage of the data in order to construct an appropriate "Populating Search" to do this conversion.

  • Requires that all existing KO uses of the raw data be manually converted (e.g. saved searches, macros, dashboard panels) to pull data from the SI instead of raw data.

susanrey
New Member

as for the answer here, I want to know why acceleration and summary indexing are different? I also met the same question. I want to learn more.

thanks!

0 Karma

woodcock
Esteemed Legend

You need to read the documentation in the link that I posted in my answer. They are completely different solutions.

0 Karma

woodcock
Esteemed Legend

I just posted a much more complete explanation of the differences.

0 Karma

woodcock
Esteemed Legend

In Splunk, acceleration and Summary Indexing are 2 totally different things that don't necessarily overlap. Additionally, whereas acceleration is relatively easy and either can or can't be done, configuring and exploiting a Summary Index is a multi-stage process and can be quite complicated, especially the first time. I am certain that you should not be attempting to enable Summary Index so that is really what your problem is. Read in detail about Summary Index and you will see that this is not the solution that you think you are attempting:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Usesummaryindexing

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...