Reporting

Report acceleration using earliest and latest not possible?

OL
Communicator

Hello,

I have created a saved search which use report acceleration which is similar to:

index=main sourcetype=my_sourcetype | timechart count by host

This is working very well and I can really that the results are displayed faster.

However, if I run the same search but with the earliest and latest parameter, the search doesn't use the report acceleration anymore. The searchs look like:

earliest=-23h@h latest=-2h@h index=main sourcetype=my_sourcetype | timechart count by host

Would anyone know why this is behaving like this?

Regards,

Olivier

Tags (1)
1 Solution

jdunlea_splunk
Splunk Employee
Splunk Employee

Hi Olivier,

The problem here is that a search will only use a Report Acceleration (RA) summary, if the hash of the accelerated part of the new search is exactly the same as the original acceleration search.

EG:

index=main sourcetype=my_sourcetype | timechart count by host

The entirety of this search above is accelerated and a summary is created from its results.

If we create another search as follows, it WILL use the RA summary generated from the above search because the hash of the RA part of the search is the same as the RA search above:

index=main sourcetype=my_sourcetype | timechart count by host | search host=my_host

Although this search is different to the one that was report accelerated, it will STILL use the summary from the first search because the "RA part" of the search is the EXACT same and thus the hash is the same.

Now if we move back to your example... you have included "earliest" and "latest" in the middle of the "RA part" of the search. This changes the hash and thus it will not use the summary from the original RA search.

Therefor the following search would NOT use the RA summary from my example because we have changed the hash of the RA part of the search and it does not match the original RA search:

index=main earliest=-2d@d latest=now sourcetype=my_sourcetype | timechart count by host | search host=my_host

Does that make sense.

As a rule of thumb, if you want to use a RA summary from another search, you must ensure that the NEW search has the exact same hash as the original RA search, and then you can pipe on more commands. But make sure that the FIRST part of the new search matches the RA search.

Hope that helps.

John

View solution in original post

jdunlea_splunk
Splunk Employee
Splunk Employee

Hi Olivier,

The problem here is that a search will only use a Report Acceleration (RA) summary, if the hash of the accelerated part of the new search is exactly the same as the original acceleration search.

EG:

index=main sourcetype=my_sourcetype | timechart count by host

The entirety of this search above is accelerated and a summary is created from its results.

If we create another search as follows, it WILL use the RA summary generated from the above search because the hash of the RA part of the search is the same as the RA search above:

index=main sourcetype=my_sourcetype | timechart count by host | search host=my_host

Although this search is different to the one that was report accelerated, it will STILL use the summary from the first search because the "RA part" of the search is the EXACT same and thus the hash is the same.

Now if we move back to your example... you have included "earliest" and "latest" in the middle of the "RA part" of the search. This changes the hash and thus it will not use the summary from the original RA search.

Therefor the following search would NOT use the RA summary from my example because we have changed the hash of the RA part of the search and it does not match the original RA search:

index=main earliest=-2d@d latest=now sourcetype=my_sourcetype | timechart count by host | search host=my_host

Does that make sense.

As a rule of thumb, if you want to use a RA summary from another search, you must ensure that the NEW search has the exact same hash as the original RA search, and then you can pipe on more commands. But make sure that the FIRST part of the new search matches the RA search.

Hope that helps.

John

sansay
Contributor

I second OL's comment.
This limitation prevents me from using the accelerated summary with specific time ranges

0 Karma

OL
Communicator

Hi John, thank you for your answer. From what I understand, the hash is quite clever as it can make the difference between "index=main sourcetype=my_sourcetype" and "sourcetype=my_sourcetype index=main". So that's a pity that it cannot just ignore earliest and latest from the hash!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...