Open in app

Sign in

Write

Sign in

Splunk: Accelerating Reports

Anvesh
SilentTech
Published in
3 min readAug 6, 2023

Report Acceleration is the process in Splunk Enterprise that can speed up a transforming search or a report that takes long time to execute because they run on large number of datasets.
It creates a separate summary of the data on the indexer and store the summary data within ordinary indexes parallel to the bucket or buckets that cover the range of time over which the report acceleration summary is created.

When the report acceleration summary will be created the Splunk enterprise will search the data from the summary, not from _raw index i.e., raw data. So, definitely the time to execute the search query will be faster.

Report Acceleration has many concepts to understand, for now let’s see how to accelerate a report and verify the performance improvement.

Let’s take a below search query.

go to Job → Inspect

The above query took 0.301 seconds for 1500 events.

Now let's save this search as a report and accelerate it.

go to settings → searches, reports, and alerts, you can see your report.

go to run, it pops out to a new search query running against report.

click on edit, edit acceleration.

I have got below error, yes it’s expected because of our query.

There are certain conditions in order to qualify search query to be accelerated.

If you want to accelerate the search, then you need to have a transforming search which is made up of transforming commands.

Transforming commands include chart, timechart, stats, top, rare, contingency, and highlight.

Now let’s update our search query to add transforming commands.

Hit save and run the report to capture latest run time.

Now let's accelerate the report.

You will see the thunderbolt symbol for Accelerated Reports.

Now check the time it took to complete the search.

Since we took very small data which used to return in 0.4, still Splunk managed to get data in 0.3 seconds. for larger datasets, we will see the huge difference.

I assume, you understood the concept of accelerating the report in Splunk. get some hands on.

Happy Splunking..

Other Splunk Articles to get started:
Splunk-intro-data-ingestion
Splunk-search-interface

Hope you find this Article interesting for short bits around the technology follow me on LinkedIn at www.linkedin.com/in/anveshsalla

Splunk
Splunk Administration
Splunk Enterprise
Splunk Certification
Logging

--

--

Anvesh
SilentTech

Written by Anvesh

41 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams