timespan from accelerated searches

praveenvemuri · ‎12-15-2012

Hi everyone,

I am using accelerated searches and have issues with span. when i mention span=5min and saved the search with report acceleration on. The searches from search head is not using summarized data if i change the time span to 10 mins. if i use the same search as saved then it is using summarized data. Please advise on how to use summarized data from report acceleration with different timespans.

index=logs | timechart count as "Requests per minute", avg(rsptime) as "Average Response time", dc(ipvod_catalog_clinetips) as uniquestbs, count(eval(catalog_httpcode>399 AND catalog_httpcode<500 )) as 4xx , count(eval(catalog_httpcode>499 AND catalog_httpcode<600 )) as 5xx, count(eval(rsptime<500)) as .5 , count(eval(rsptime>500 AND rsptime<1001 )) as .5to1, count(eval(rsptime>1000 AND rsptime<2001 )) as 1to2, count(eval(rsptime>2000 AND rsptime<5001 )) as 2to5, count(eval(rsptime>5000 AND rsptime<10001 )) as 5to10, count(eval(rsptime>10000 AND rsptime<60001 )) as 10to60, count(eval(rsptime>60000 )) as g60 by hosts

tfruru · ‎03-25-2013

I've just tried - with success - creating the following saved search :

my_search | bin _time span=5m | sistats count by _time interesting_field

which is then used as follows :

my_search | bin _time span=5m | sistats count by _time interesting_field | timechart span=1h count by interesting_field

The acceleration on the initial saved search did give me a big boost in the final search - I'm timecharting about 500 million events in less than 30 seconds now.

You can choose the span in the timechart as you like, but sensible results are only obtained by using a multiple of the initial time bin span.

Jason · ‎03-20-2013

As far as I know, the idea with Report Acceleration is to make the base search the same:

my_search | bin _time span=5m | stats count by _time ....

But, you can take an idea from "PostProcess" dashboards and ensure that your base search (with statistical command on the end) will solve all your use cases - then accelerate it. For example, 5 minute and 10 minute span data can be created from 5 minute span data output by the stats command, by adding another timechart afterwards when running searches:

my_search | bin _time span=5m | stats count by _time .... | timechart span=5m .... 
my_search | bin _time span=5m | stats count by _time .... | timechart span=10m ....

Ensure your statistics functions are right when you collapse 5min spans into 10min spans - do things like sum(count) instead of just count.

csharp_splunk · ‎12-15-2012

Sorry, but changing span will require you to have different saved searches. Due to the way Report Acceleration stores data, the span setting will materially change the rows in the resulting table we store the accelerated results in. In theory we should be able to use multiples in terms of span (i.e., span=5m and span=10m should in theory be compatible), but I don'think it works that way.

csharp_splunk · ‎12-17-2012

You can use span= in the timechart command, but each different span= that you save will be a different accelerated summary. In fact, I'd recommend when you create an accelerated search to put an explicit span= in there, so that you're ensured of hitting the exact accelerated summary that you were planning to hit.

That being said, if you want more granular control, the legacy summary indexing is still there to handle edge cases like this.

praveenvemuri · ‎12-16-2012

Hi csharp_splunk Thank you very much for your response. All of my searches need the results for different timespans. so you mean i cant use report acceleration and go back to old summary indexing. is it something a bug and might be fixed? Anyway thanks for your response spent lot of time trying different saved searches with timepsans without timespans for report acceleration.

timespan from accelerated searches

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life