Accelerate reports
If your report has a large number of events and is slow to complete when you run it, you may be able to accelerate it so it completes faster when you run it in the future. When you accelerate a report, Splunk software runs a background process that builds a data summary based on the results returned by the report. When you next run the search, it runs against this summary rather than the full index. Because this summary is smaller than the full index and contains precomputed summary data relevant to the search, the search should complete much quicker than it did when you first ran it.
Restrictions on report acceleration
You cannot accelerate a report if:
- You created it though Pivot. Pivot reports are accelerated via data model acceleration. See Manage data models in the Knowledge Manager Manual.
- Your permissions do not enable you to accelerate searches. You cannot accelerate reports if your role does not have the
schedule_search
andaccelerate_search
capabilities. - Your role does not have write permissions for the report.
- The search that the report is based upon is disqualified for acceleration. See How reports qualify for report acceleration, in this topic.
In addition, be careful when accelerating reports whose base searches include tags, event types, search macros, and other knowledge objects whose definitions can change independently of the report after the report is accelerated. If this happens, the accelerated report can return invalid results.
If you suspect that your accelerated report is returning invalid results, you can verify its summary to see if the data contained in the summary is consistent. See Verify a summary, in the Knowledge Manager Manual.
The Edit Acceleration dialog
If your permissions enable you to accelerate a specific report and the report also qualifies for acceleration, you can accelerate it when you create it, or at any point after it has been created.
- When you save a search as a report, you'll be brought to a Your Report Has Been Created dialog, Click Additional Settings and select Acceleration.
- If you want to accelerate an existing report, navigate to the Reports listing page or the report viewing page.
- On the Reports listing page, to accelerate a report (or change its current acceleration configuration):
- Expand the row for a report and click Edit for Acceleration.
- Or click Edit for a selected report and select Edit Acceleration.
- On the report viewing page (which you access by clicking the report's name on the Reports listing page), to accelerate a report:
- Click Edit and select Edit acceleration.
- Or click More info and click Edit next to the acceleration status.
- On the Reports listing page, to accelerate a report (or change its current acceleration configuration):
Note: If you try to accelerate a report that does not qualify for acceleration, you will receive an error message informing you that the report cannot be accelerated.
On the Edit Acceleration dialog, select Accelerate Report to expose Summary Range.
When you accelerate a report, you must choose a Summary Range value such as 7 Days, 3 Months, or All Time. This range represents the approximate span of time that is always covered by the summary at any given moment, once it is built. When the summary is built and you run this report again, to get full acceleration benefits the report must have a time range that fits within this summary range. For more information, see the subtopic "How Summary Range works," below.
Note: The data summaries discussed here operate on principles similar to those of traditional summary indexes, but that's where their resemblance ends. The data summaries that are created for report acceleration purposes are not summary indexes. For more information about report acceleration and summary indexing, and information about why one might prefer one method over the other, see About report acceleration and summary indexing in the Knowledge Manager Manual.
How Summary Range works
Summary Range sets the approximate range of time that a report's data summary will cover. When you run the report in the future only the portion of it that falls within that range will benefit from acceleration.
For example, if you choose a Summary Range of 7 Days, you're saying that going forward you want a summary that always covers at least the last seven days. As time passes, Splunk software will delete data from this summary that is older than seven days while it continues to summarize incoming new data.
Once this summary is built, the report associated with it will complete relatively quickly as long as you run it over time ranges that fall within the past seven days. If you run the report over the past 10 days, it'll get acceleration benefits for the portion of the search that covers the last seven days, but the portion of the search that covers the remaining 3 days will have to run over raw data and will not be accelerated.
The same goes for the other Summary Range settings. Choose 1 Month if you plan to run the report over time ranges that are fall within the last 30 days. Choose 1 Year if you anticipate that you'll need to run the search over time ranges that fall within the past year. Keep in mind that larger summaries take longer to generate at first and will consume more storage resources.
Note: If you don't want there to be any restrictions over when you can run a search and still get acceleration benefits, choose All Time.
Search mode and report acceleration
Report acceleration only works for reports that have Search Mode set to Smart or Fast. If you select the Verbose search mode for a report that has been accelerated, it will run as slow as it would if it were not accelerated at all. For more information about the Search Mode settings, see Set search mode to adjust your search experience in the Search Manual.
How reports qualify for report acceleration
To qualify for acceleration, the search the report is based on must have the following qualities:
- The base search must use a transforming command (such as
chart
,timechart
,stats
, andtop
). - If the base search has commands before the transforming command, they must be streaming commands. Non-streaming commands are allowed after the first transforming command.
- The base search must run in the smart or fast search mode. If you save the report in verbose mode and accelerate it, Splunk software automatically changes the search mode to smart or fast. You cannot change the search mode of a report that has already been accelerated to verbose.
- The base search cannot use event sampling.
- The base search cannot include subsearches or time modifiers.
For more information about event sampling, see Sample set of events in the Search Manual.
For examples of qualifying and non-qualifying searches, see Manage report acceleration, in the Knowledge Manager Manual.
Manage your report acceleration summaries
Splunk Web provides a Manager page for this feature at Manager > Report Acceleration Summaries. On this page you can review the report summaries to which you have access. You can see the reports that apply to them, view their build progress, verify their consistency, rebuild them when they are damaged, delete summaries that are obsolete or which are taking up needed space, and more.
Note: You can only access the Report Acceleration Summaries page in Manager if your role enables you to accelerate reports (your role must have the schedule_search
capability).
It's important to note that as the number of summaries in use by your implementation stacks up, you may encounter storage and performance impacts. This is because search acceleration summaries require storage space and, to keep them updated, Splunk software has to run searches in the background on new data every 10 minutes. The Report Acceleration Summaries page enables you to quickly identify summaries that are taking up more space than they are worth, given the frequency of their use.
For more information about report acceleration, including an explanation of what is happening behind the scenes, a discussion of summary storage and performance considerations, and more tips on summary management with the Report Acceleration Summaries page, see Manage report acceleration, in the Knowledge Manager Manual.
Set report permissions | Schedule reports |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!