- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How to configure auto_summarize.timespan for accel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello splunk users,
I have some new-by questions about accelerated reports. I have accelerated a report simply by clicking on "Accelerate Report".
Good! It works!
In report acceleration summaries, Summary Detail I see the auto Timespans, even if I set in savedsearch.conf:
[MyAcceleratedSearch]
...
auto_summarize.timespan = 1d
This is what I see in Summary Detail:
Summarization Load 0.0355
Access Count 3 Last Access: 2h 41m ago
Size on Disk 1299.68MB
Summary Range 365 days
Timespans 10min, 10s, 1d, 1h, 1min, 1s
Buckets 1401
Chunks 166359
Since I would save disk space and I'm not interested on data every second (my search is ...| timechart span=1d) I would like to increase the minimum time span to 1d.
How can I achieve this?
Thank you very much
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I reached your question due the same strange behaviour. Here is what I got:
First, do these changes on Advanced_Edit in "Searches, Reports and Alerts". That way, you don't need a restart to make the parameters "online".
Second
Splunk takes the finest granularity that you specify in auto_summarize.timespan. So if you specify 10s, you are kind of "guaranteeing that you have that minimum granularity". Splunk will probably use other greater granularities, but that's not our business.
So please try altering the timespan in Advanced_Edit and then Rebuild the Summary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I verified that restarting Splunk it works.
I can't find "Advanced_Edit". Maybe is this not present in Splunk 6.2?
Thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes probably in 6.2 it isn't there yet (sorry).
Feel free to mark this as answered, I'm sure it will solve other people's headaches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I reached your question due the same strange behaviour. Here is what I got:
First, do these changes on Advanced_Edit in "Searches, Reports and Alerts". That way, you don't need a restart to make the parameters "online".
Second
Splunk takes the finest granularity that you specify in auto_summarize.timespan. So if you specify 10s, you are kind of "guaranteeing that you have that minimum granularity". Splunk will probably use other greater granularities, but that's not our business.
So please try altering the timespan in Advanced_Edit and then Rebuild the Summary.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
