Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Accelerate table datasets

If you have a table dataset that contains a large amount of data, you can accelerate it so that searches, reports, and dashboard panels that use or extend it return results faster.

With table acceleration, Splunk software treats each table dataset as if it were a data model made up of a single root search data model dataset.

Things to know about table acceleration

Before you accelerate your table datasets, there are some requirements, restrictions, and best practices to be aware of.

Requirements

  • Table acceleration only works when you run a search that uses the tstats or pivot commands to reference a table. You also see acceleration benefits when you use the Pivot editor to create a report or dashboard panel that uses an accelerated table. You do not see acceleration benefits when you use a command such as from to reference an accelerated table.
  • By default, only users whose roles have the accelerate_datamodel capability can accelerate table datasets.
  • You must share a table to make it eligible for acceleration. You must also share related knowledge objects, such as lookup tables and lookup definitions that your lookup fields are dependent upon.
  • If you want to accelerate a table that is extended from other tables, you must share those tables as well. The parent table or tables that a child table is extended from must be shared before you can accelerate the child table.
  • You can apply table acceleration only to tables that use purely streaming commands.

Restrictions

  • You cannot enable acceleration for private tables.
  • If you use the action menus to apply the Sort, Limit Rows, Remove Duplicates, or Stats actions to your table, you cannot accelerate it.
  • You cannot accelerate a table that is extended from a lookup file or lookup definition. Lookup dataset extension involves search operations that are not streaming commands. This disqualifies it from being accelerated because you can apply table acceleration only to tables that use purely streaming search commands.

Best practices

  • Table acceleration can be resource-intensive, so use it conservatively with a limited number of Splunk users.
  • When you change a dataset definition, its summary becomes invalid and must be replaced. The Splunk software automatically rebuilds its acceleration summary when you edit an accelerated table and save your changes.
  • In tables that you accelerate, specify the indexes to be searched in their initial data search. This leads to more efficient table acceleration. If you do not specify an index, the Splunk software searches all available indexes for the table and can create unnecessarily large acceleration summaries.

For details about how table acceleration works and tips on managing table acceleration summaries, see Accelerate data models.

Accelerate a table dataset

Access the table dataset acceleration settings through the Datasets listing page or the Explorer view of a dataset.

  1. Select Edit > Edit Acceleration for the dataset you want to accelerate.
  2. Select Accelerate.
  3. Choose a Summary Range.
    • Your choice depends on the range of time over which you plan to run searches, reports, or dashboard panels that use the accelerated table.
    • (Optional) If you require a different summary range than the ones supplied by the Summary Range field, configure it for your table in datamodels.conf. See datamodels.conf.
  4. Click Save.
    When your table is accelerated, the yellow lightning bolt symbol for the table has a yellow color. You can also check the datasets listing page to see if your table is accelerated.

Inspect table acceleration metrics

After you accelerate a table you can find its acceleration metrics on the Data Models management page. Expand the row for the accelerated table and review the information that appears under ACCELERATION.

Metric Description
Status Tells you whether the acceleration summary for the table is complete. When the summary is in Building status, you also see what percentage of the summary is complete. Many table summaries are constantly updating with new data. This means that a summary that is Complete at one moment might be Building later.
Access Count Shows you how many times the table summary has been accessed since it was created, and when the last access time was. This metric is useful when you are trying to determine which accelerated tables are not being used frequently. Because table acceleration uses system resources, you might not want to accelerate tables that are not regularly accessed.
Size on Disk Shows you how much disk space the table acceleration summary uses. Use this metric along with the Access Count to determine which summaries are unnecessary and can be deleted. If a table acceleration summary is using a large amount of disk space, consider reducing its summary range.
Summary Range Presents the range of the table acceleration summary, in seconds, always relative to the present moment. You set this range when you enable acceleration for the table.
Buckets Displays the number of index buckets spanned by the table acceleration summary.

Click Rebuild to rebuild the summary. You might want to do this if you suspect that there has been data loss due to a system crash or a similar mishap. The Splunk software rebuilds summaries when you edit a table, or when you disable and reenable table acceleration.

Click Update to refresh the acceleration summary detail information.

Click Edit to open the Edit Acceleration dialog box to change the Summary Range or to disable acceleration for the table.

Accelerating data model datasets

Data model datasets are accelerated at the data model level. You can access the Data Models management page by selecting Settings > Data Models.

For more information, see Accelerate data models.

Last modified on 17 March, 2023
PREVIOUS
Dataset extension
  NEXT
About data models

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters