By Mustafa Ahamed December 13, 2012
One of the coolest features we’ve introduced in Splunk 5.0 is Report Acceleration. This speeds up reports by many orders of magnitude, and it is so easy to set up. So, what is the secret behind such a powerful acceleration? I’ll attempt to explain some of the concepts that powers report acceleration in this post.
Before report acceleration, one of the ways for users to speed up reports is through summary indexing. Although very powerful, summary indexing was more suited for Splunk admins rather than for report developers. Summary indexing also didn’t have a way to auto-update its summaries to back-fill data and it stores the summaries on the search heads instead of on the indexers.
Report acceleration is targeted for report developers. To enable this, users need to click-a-button in the save search dialog. That’s all. The system automatically builds the summaries for the report. The summaries are actually stored along with the buckets on the indexers; hence this helps to parallelize the summary building activities on the indexers side.
Does report acceleration handles auto updates? Absolutely. Since the summaries live along with the buckets, any updates to the buckets will automatically updates the summaries as well. Did I mention that summaries automatically rolls from hot to warm to cold? Now you know that too!!
Try this and share your experience. I will cover some of implementation details in the next post.