Hello,
I have created a saved search which use report acceleration which is similar to:
index=main sourcetype=my_sourcetype | timechart count by host
This is working very well and I can really that the results are displayed faster.
However, if I run the same search but with the earliest and latest parameter, the search doesn't use the report acceleration anymore. The searchs look like:
earliest=-23h@h latest=-2h@h index=main sourcetype=my_sourcetype | timechart count by host
Would anyone know why this is behaving like this?
Regards,
Olivier
Hi Olivier,
The problem here is that a search will only use a Report Acceleration (RA) summary, if the hash of the accelerated part of the new search is exactly the same as the original acceleration search.
EG:
index=main sourcetype=my_sourcetype | timechart count by host
The entirety of this search above is accelerated and a summary is created from its results.
If we create another search as follows, it WILL use the RA summary generated from the above search because the hash of the RA part of the search is the same as the RA search above:
index=main sourcetype=my_sourcetype | timechart count by host | search host=my_host
Although this search is different to the one that was report accelerated, it will STILL use the summary from the first search because the "RA part" of the search is the EXACT same and thus the hash is the same.
Now if we move back to your example... you have included "earliest" and "latest" in the middle of the "RA part" of the search. This changes the hash and thus it will not use the summary from the original RA search.
Therefor the following search would NOT use the RA summary from my example because we have changed the hash of the RA part of the search and it does not match the original RA search:
index=main earliest=-2d@d latest=now sourcetype=my_sourcetype | timechart count by host | search host=my_host
Does that make sense.
As a rule of thumb, if you want to use a RA summary from another search, you must ensure that the NEW search has the exact same hash as the original RA search, and then you can pipe on more commands. But make sure that the FIRST part of the new search matches the RA search.
Hope that helps.
John
Hi Olivier,
The problem here is that a search will only use a Report Acceleration (RA) summary, if the hash of the accelerated part of the new search is exactly the same as the original acceleration search.
EG:
index=main sourcetype=my_sourcetype | timechart count by host
The entirety of this search above is accelerated and a summary is created from its results.
If we create another search as follows, it WILL use the RA summary generated from the above search because the hash of the RA part of the search is the same as the RA search above:
index=main sourcetype=my_sourcetype | timechart count by host | search host=my_host
Although this search is different to the one that was report accelerated, it will STILL use the summary from the first search because the "RA part" of the search is the EXACT same and thus the hash is the same.
Now if we move back to your example... you have included "earliest" and "latest" in the middle of the "RA part" of the search. This changes the hash and thus it will not use the summary from the original RA search.
Therefor the following search would NOT use the RA summary from my example because we have changed the hash of the RA part of the search and it does not match the original RA search:
index=main earliest=-2d@d latest=now sourcetype=my_sourcetype | timechart count by host | search host=my_host
Does that make sense.
As a rule of thumb, if you want to use a RA summary from another search, you must ensure that the NEW search has the exact same hash as the original RA search, and then you can pipe on more commands. But make sure that the FIRST part of the new search matches the RA search.
Hope that helps.
John
I second OL's comment.
This limitation prevents me from using the accelerated summary with specific time ranges
Hi John, thank you for your answer. From what I understand, the hash is quite clever as it can make the difference between "index=main sourcetype=my_sourcetype" and "sourcetype=my_sourcetype index=main". So that's a pity that it cannot just ignore earliest and latest from the hash!