Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Accelerate tables

If you have a table dataset that contains a large amount of data, you can accelerate it so that searches, reports, and dashboard panels that use or extend it return results faster than they would otherwise.

With table acceleration, the Splunk software treats each table dataset as if it were a data model made up of a single root search data model dataset.

See Design data model datasets for information about root search data model datasets.

Things to know about table acceleration

Before you accelerate your table datasets, there are some restrictions and best practices to be aware of.

The benefits of acceleration are only available to tables when you apply the tstats or pivot commands to them

You see the acceleration benefits when you run a search that uses the tstats or pivot commands to reference a table. You also see acceleration benefits when you use the Pivot editor to create a report or dashboard panel that uses an accelerated table. You do not see acceleration benefits when you use a command such as from to reference an accelerated table.

By default, only users whose roles have the accelerate_datamodel capability can accelerate table datasets

Table acceleration can be resource-intensive, so it should be used conservatively by a limited number of Splunk users.

You cannot enable acceleration for private tables

You must share a table to make it eligible for acceleration. You must also share related knowledge objects, such as lookup tables and lookup definitions that your lookup fields are dependent upon, and in exactly the same way.

You can apply table acceleration only to tables that use purely streaming search commands

If you use the action menus to apply the Sort, Limit Rows, Remove Duplicates or Stats actions to your table, you cannot accelerate it.

You cannot accelerate a table that is extended from a lookup file or lookup definition

Lookup dataset extension involves search operations that are not streaming

This disqualifies it from being acclerated in the same way that non-streaming commands do. See Dataset extension.

If you want to accelerate a table that is extended from other tables, you must share those tables as well

The parent table or tables that a child table is extended from must be shared before you can accelerate the child table.

If you edit an accelerated table, the Splunk software rebuilds its acceleration summary when you save your changes

When you change a dataset definition, its summary becomes invalid and must be replaced.

Table acceleration is most efficient if the table being accelerated specifies the indexes to be searched in its initial data search

If you do not specify an index, the Splunk software searches all available indexes for the table and can create unnecessarily large acceleration summaries.

For details about how table acceleration works and tips on managing table acceleration summaries, see Accelerate data models.

Accelerate a table dataset

Access the table dataset acceleration settings through the Datasets listing page or the Explorer view of a dataset.

Steps

  1. Select Manage > Edit Acceleration for the dataset you want to accelerate.
  2. Select Accelerate.
  3. Select a Summary Range.
    • Your choice depends on the range of time over which you plan to run searches, reports, or dashboard panels that use the accelerated table. For example, if you plan to run dashboard panels using the table over periods of time that fall within the previous seven days, choose 7 Days.
    • If you require a different summary range than the ones supplied by the Summary Range field, you can configure it for your table in datamodels.conf.
  4. Click Save.
    When your table is accelerated, the yellow lightning bolt symbol for the table has a yellow color.

Inspect table acceleration metrics

After you accelerate a table you can find its acceleration metrics on the Data Models management page. Expand the row for the accelerated table and review the information that appears under ACCELERATION.

6.0 dm acceleration metrics.png

Metric Description
Status Tells you whether the acceleration summary for the table is complete. When the summary is in Building status you also see what percentage of the summary is complete. Many table summaries are constantly updating with new data. This means that a summary that is Complete at one moment may be Building later.
Access Count Shows you how many times the table summary has been accessed since it was created, and when the last access time was. Useful when you are trying to determine which accelerated tables are not being used frequently. Because table acceleration uses system resources, you might not want to accelerate tables that are not regularly accessed.
Size on Disk Shows you how much disk space the table acceleration summary uses. Use this metric along with the Access Count to determine which summaries are unnecessary and can be deleted. If a table acceleration summary is using a large amount of disk space, consider reducing its summary range.
Summary Range Presents the range of the table acceleration summary, in seconds, always relative to the present moment. You set this range when you enable acceleration for the table.
Buckets Displays the number of index buckets spanned by the table acceleration summary.

Click Rebuild to rebuild the summary. You might want to do this if you suspect that there has been data loss due to a system crash or a similar mishap. Splunk Enterprise rebuilds summaries when you edit a table, or when you disable and reenable table acceleration.

Click Update to refresh the acceleration summary detail information.

Click Edit to open the Edit Acceleration dialog box to change the Summary Range, or to disable acceleration for the table.

Accelerating data model datasets

Data model datasets are accelerated at the data model level. You can access the Data Models management page by selecting Settings > Data Models.

For more information, see Accelerate data models.

PREVIOUS
Dataset extension
  NEXT
About data models

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters