Deployment monitor accelerated searches not workin...

bojanz · ‎05-02-2013

Hi,

I have a couple of servers that were 4.x and I updated them to 5.0.2. I also installed the latest Deployment Monitor application.

However, now accelerated searches are not working at all. In Manager -> Report Acceleration Summaries they are all listed like this:

c61755ddd7cc1021    
forwarders_summary_10m
dm_license_summary_10m_by_forwarder
    0.0000  0 Last Access: Never    Summarization not started Updated: Never

a7d992d7273cd430    
dm_license_summary_10m_by_sourcetype
    0.0000  0 Last Access: Never    Summarization not started Updated: Never

If I go to a search in Manager -> Searches and reports and select one (for example sourcetypes_summary_10m) I can see that the search is:

`sourcetypes_summary_10m`

And it's accelerated to 3 months summary range. However, when I click on Save I get the following error:

Encountered the following error while trying to update: In handler 'savedsearch': This search cannot be accelerated

Checking the macro it looks ok. Puzzled. 😕

dennywebb · ‎06-04-2013

See "How Searches Qualify for Acceleration". I was having this same issue... to accelerate the search has to chart/stat/table/etc... not just return a set of events.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Manageacceleratedsearchsummaries#How_sea...

araitz · ‎05-06-2013

I suspect you might be hitting a bug in Splunk core that can cause report acceleration not to function as expected. Have you opened a support case yet?

Deployment monitor accelerated searches not working at all?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team