Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Report acceleration using earliest and latest not possible?

OL
Communicator
‎02-20-2013 09:27 AM

Hello,

I have created a saved search which use report acceleration which is similar to:

index=main sourcetype=my_sourcetype | timechart count by host

This is working very well and I can really that the results are displayed faster.

However, if I run the same search but with the earliest and latest parameter, the search doesn't use the report acceleration anymore. The searchs look like: 

earliest=-23h@h latest=-2h@h index=main sourcetype=my_sourcetype | timechart count by host

Would anyone know why this is behaving like this?

Regards,

Olivier

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jdunlea_splunk
Splunk Employee
Splunk Employee
‎03-12-2013 08:22 AM

Hi Olivier,

The problem here is that a search will only use a Report Acceleration (RA) summary, if the hash of the accelerated part of the new search is exactly the same as the original acceleration search.

EG:

index=main sourcetype=my_sourcetype | timechart count by host

The entirety of this search above is accelerated and a summary is created from its results.

If we create another search as follows, it WILL use the RA summary generated from the above search because the hash of the RA part of the search is the same as the RA search above:

index=main sourcetype=my_sourcetype | timechart count by host | search host=my_host

Although this search is different to the one that was report accelerated, it will STILL use the summary from the first search because the "RA part" of the search is the EXACT same and thus the hash is the same.

Now if we move back to your example... you have included "earliest" and "latest" in the middle of the "RA part" of the search. This changes the hash and thus it will not use the summary from the original RA search.

Therefor the following search would NOT use the RA summary from my example because we have changed the hash of the RA part of the search and it does not match the original RA search:

index=main earliest=-2d@d latest=now sourcetype=my_sourcetype | timechart count by host | search host=my_host

Does that make sense.

As a rule of thumb, if you want to use a RA summary from another search, you must ensure that the NEW search has the exact same hash as the original RA search, and then you can pipe on more commands. But make sure that the FIRST part of the new search matches the RA search.

Hope that helps.

John

View solution in original post

Reply
Solved! Jump to solution
Solution

jdunlea_splunk
Splunk Employee
Splunk Employee
‎03-12-2013 08:22 AM

Hi Olivier,

The problem here is that a search will only use a Report Acceleration (RA) summary, if the hash of the accelerated part of the new search is exactly the same as the original acceleration search.

EG:

index=main sourcetype=my_sourcetype | timechart count by host

The entirety of this search above is accelerated and a summary is created from its results.

If we create another search as follows, it WILL use the RA summary generated from the above search because the hash of the RA part of the search is the same as the RA search above:

index=main sourcetype=my_sourcetype | timechart count by host | search host=my_host

Although this search is different to the one that was report accelerated, it will STILL use the summary from the first search because the "RA part" of the search is the EXACT same and thus the hash is the same.

Now if we move back to your example... you have included "earliest" and "latest" in the middle of the "RA part" of the search. This changes the hash and thus it will not use the summary from the original RA search.

Therefor the following search would NOT use the RA summary from my example because we have changed the hash of the RA part of the search and it does not match the original RA search:

index=main earliest=-2d@d latest=now sourcetype=my_sourcetype | timechart count by host | search host=my_host

Does that make sense.

As a rule of thumb, if you want to use a RA summary from another search, you must ensure that the NEW search has the exact same hash as the original RA search, and then you can pipe on more commands. But make sure that the FIRST part of the new search matches the RA search.

Hope that helps.

John

Reply
Solved! Jump to solution

sansay
Contributor
‎01-10-2014 11:49 AM

I second OL's comment.
This limitation prevents me from using the accelerated summary with specific time ranges

0 Karma
Reply
Solved! Jump to solution

OL
Communicator
‎03-12-2013 09:03 AM

Hi John, thank you for your answer. From what I understand, the hash is quite clever as it can make the difference between "index=main sourcetype=my_sourcetype" and "sourcetype=my_sourcetype index=main". So that's a pity that it cannot just ignore earliest and latest from the hash!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...