Documentation > Splunk > Admin Manual > Cache report results

Admin Manual

 


How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Cache report results

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Cache report results

The reportcache script lets you run a search over a small timeframe, save the results of that search to a designated "cache" index, and repeat that process over time to accumulate exactly the data needed for the report when running it over longer timeframes. You can create a saved search that runs periodically to accumulate this data. Then, when you want to run the report ad hoc over a longer timeframe, the data is already sorted and calculated, and the report runs very quickly.


For example, suppose you want to run nightly reports on "top users by bandwidth". You could run the report every night, but maybe there are times during the day when you want incremental results, or perhaps you want to look at last week, or get dailies over a month. Every time you run the report, you search across all your data (not just the bandwidth-related events) and recalculate "top users by bandwidth". As the overall size of your data set grows, it takes longer and longer to run the report. If the specific data you're interested in is already in its own special index, the report will run quickly.


Install and configure the reportcache script

1. Download the reportcache search script from SplunkBase and put it in $SPLUNK_HOME/etc/searchscripts directory. The user Splunk runs as must have permissions to run this script.


You do not need to restart at this time.


2. Add a cache index to which you will write your cached data. Do one of the following:


You must restart Splunk after adding the index. 


      [cache]
      homePath = $SPLUNK_DB/cache/db
      coldPath = $SPLUNK_DB/cache/colddb
      thawedPath = $SPLUNK_DB/cache/thaweddb

Set up and test reportcache

Build your search to populate the cache and test it. For example, here is a search to try:


index=_internal metrics "group=queue" timechart avg(current_size) by name

To test the reportcache script, you can save the output to a file:


index=_internal metrics "group=queue" timechart avg(current_size) by name | reportcache index=my_new_cache_index path=/tmp file=testcache.log notimestamp

In this example, the output goes to /tmp/testcache.log.


Once you've verified that the results are to your liking, you can send the results to an index in order to persist the result:


index=_internal metrics "group=queue" timechart avg(current_size) by name | reportcache index=my_new_cache_index

Save this search to run on a frequent schedule to generate data for later reports.


For a full list of arguments of the reportcache script, either review reportcache.py itself, or have a look at the online documentation.


Use cached data

Search the new index to get reports based on the cached events:


index=my_new_cache_index foo
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.4/Admin/CacheReportResults"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!