Knowledge Management

Should I convert existing Summary searches to Report Acceleration?

kenliu
Explorer

Hi, before Splunk 5 we have created about 40 saved searches that are populating summary index and about 70 other saved searches plus a handful of dashboards that query against the summary index. Now that we've upgraded to version 5, should we convert some (or all) to use Report Acceleration instead? What are some things we need to take into consideration when making that decision?

0 Karma
1 Solution

mattness
Splunk Employee
Splunk Employee

Splunk covers these questions in their documentation; see this topic:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing

Here's the tl;dr version:

There are a number of reasons why report acceleration is preferable to summary indexing, such as the fact that report acceleration employs automatic backfill and does a better job handling late-arriving events, not to mention the fact that you can get automatically get acceleration benefits with searches that are similar to searches that have already been accelerated.

Ideally, you should use report acceleration for any search that qualifies for report acceleration. Read the docs for more info about that.

You'll want to stick to summary indexing when:

  • The search that builds the summary index includes nonstreamable commands before the first transforming command.
  • You want to run a report against a specific summary index by including index=< summary_index_name > in the search string. Under report acceleration, Splunk automatically determines which data summary it will run reports against.

Of course, if your summary indexes are working fine for you after your upgrade it's really up to you.

View solution in original post

mattness
Splunk Employee
Splunk Employee

Splunk covers these questions in their documentation; see this topic:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing

Here's the tl;dr version:

There are a number of reasons why report acceleration is preferable to summary indexing, such as the fact that report acceleration employs automatic backfill and does a better job handling late-arriving events, not to mention the fact that you can get automatically get acceleration benefits with searches that are similar to searches that have already been accelerated.

Ideally, you should use report acceleration for any search that qualifies for report acceleration. Read the docs for more info about that.

You'll want to stick to summary indexing when:

  • The search that builds the summary index includes nonstreamable commands before the first transforming command.
  • You want to run a report against a specific summary index by including index=< summary_index_name > in the search string. Under report acceleration, Splunk automatically determines which data summary it will run reports against.

Of course, if your summary indexes are working fine for you after your upgrade it's really up to you.

ChrisG
Splunk Employee
Splunk Employee

Not all your searches are necessarily eligible for report acceleration. Only searches that use reporting commands can use report acceleration. Read About report acceleration and summary indexing in the Knowledge Manager Manual for an explanation of the differences--it should help you make the determination.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...