Ch. 9 Search Optimization

  • Report Acceleration - when you want to speed up the speed of a report, leveraging acceleration summary

  • Acceleration Summary - stored search results populated every 10min

    • Report Acceleration is like cloud edge computing, where an edge node caches a website, but in this case a report acceleration caches an acceleration summary

  • Report Acceleration Rule: Search mode has to be set to fast or smart, if not a power user then user must have the schedule_search privilege

    • 3 Types of Commands that work for Report Acceleration:

      • Streaming - ex. eval, search, fields, rename

      • Non- Streaming Commands (waits for all events are returns before executing) - ex. transaction, or eval and rename after a transform command is used

      • Transforming Commands (order results into a data table) - ex. table

  • Order of Operations for Report Acceleration - Report Accelerations only work for a search with a transforming command by itself or some combination like this: distributable streaming command → transforming command → non streaming command

  • Report acceleration summaries in Splunk are stored alongside buckets in the indexes.

Data Model Acceleration

  • High Performance Analytics Store - File storage for Data Model Acceleration, files are used to speed searches

  • Data Model Acceleration Types

    • Adhoc - automatically happens when a user performs a pivot on a data model that has not been persistently accelerated

    • Persistent -

  • Data Model Acceleration created files called TSDIX that act like cloud cache servers for Pivot Tool, retention period of files depends on Acceleration type

Datamodel Command

  • datamodel command will return list of data models that you have access to in JSON

  • datamodel data_model_name will return information specific to data model searched

  • datamodel summariesonly - return datamodels with summaries only which can speed up search time but limit results returned

Tstats Command

  • What does it to - perform statistical queries on tsidx files

  • When a datamodel has multiple root datasets and you don’t specify the one you want to use, Splunk defaults the 1st dataset as root

    • Ex. | tstats sum(us.price) from datamodel=vsales by us.product_name

      • Exp. results are returned because tstats defaults us to root dataset from vsales

    • Ex. | tstats sum(can.price) from datamodel=vsales by can.product_name

      • Exp. no results are returned because tstats defaults us to root dataset from vsales

    • Ex. | tstats sum(can.price) from datamodel=vsales.can by can.product_name

      • Exp. results are returned because vsales root dataset is set to can

  • tstats only allow wildcard command to be used with field values

  • tstats are more efficient for indexed fields and they don’t work on search time fields

  • Splunk will automatically run a tstats in place of stats if possible

  • On the Searches, Reports, and Alerts page, you will see a lightning bolt if your report is accelerated.

  • By default, Power and Admin users have the privileges that allow them to accelerate reports.

  • search head stores acceleration summaries for ad hoc data model acceleration

  • search & flat options allow you to search events with data model command

  • The tstats command needs to come first in the search pipeline because it is a generating command.


Understand search time field vs. index field