Splunk Accelerated Data Models - Part 3

This article is based on my Splunk .conf 2015 session and is the second in a mini-series on Splunk data model acceleration. Make sure to read parts 1 and 2 first.

Searching Accelerated Data Models

Which Searches are Accelerated?

The high-performance analytics store (HPAS) is used only with Pivot (UI and the pivot command) and the tstats command. Regular searches and the datamodel command are not accelerated!

Tstats

The Principle

Tstats must be the first command in the search pipline. It is used in prestats mode and must be followed by either:

  • Stats
  • Chart
  • Timechart

Learning Tstats

To learn how to use tstats for searching an accelerated data model build a sample search in Pivot Editor and inspect the underlying search:

Splunk - inspecting a search in Pivot Editor-900

A new search job inspector window opens. The search can be found near the bottom. Copy it.

Splunk - Search job inspector-900

After a bit of cleaning up and removing unnecessary clutter the search looks like this:

| tstats
  sum("Process_ProcessDetail.ProcIOReadCount")
  from datamodel=uberAgent.Process_ProcessDetail
  where (nodename = Process_ProcessDetail)
  groupby "Process_ProcessDetail.ProcName"
  prestats=true
| stats dedup_splitvals=t
  sum("Process_ProcessDetail.ProcIOReadCount")
  as "Sum of ProcIOReadCount"
  by "Process_ProcessDetail.ProcName"

As you can see tstats is used in prestats mode (“prestats=true”) and is followed by a stats command that mirrors its precursor. The fact that two nearly identical search commands are required makes tstats based accelerated data model searches a bit clumsy. It does not help that the data model object name (“Process_ProcessDetail”) needs to be specified four times in the tstats command.

Pivot

The Principle

Pivot has a “different” syntax from other Splunk commands. Pivot only searches data models. As tstats it must be the first command in the search pipeline. Unlike tstats, pivot can perform realtime searches, too. This convinced us to use pivot for all uberAgent dashboards, not tstats. I have heard Splunk employees recommend tstats over pivot, but pivot really is the only choice if you need realtime searches (and who doesn’t?).

Learning Pivot

To learn how to use pivot for searching an accelerated data model build a sample search in Pivot Editor and open it in Search:

Splunk - open in search-900

The underlying search can now easily be copied from Splunk’s search bar. After a bit of cleaning up and removing unnecessary clutter it looks like this:

| pivot uberAgent Process_ProcessDetail
  sum(ProcIOReadCount) as "Sum of ProcIOReadCount"
  splitrow ProcName as ProcName

This search is so much cleaner than its tstats cousin above!

AccelerationData ModelsLogs & MetricsSplunk

Comments

Related Posts

Why Sizing for Averages is a Bad Idea

Why Sizing for Averages is a Bad Idea
When sizing a new environment it is tempting to use averages. It seems the logical thing to do. But it also guarantees a bad user experience. Example: Sizing an RDS or XenApp Farm Let’s say you’re tasked with building a new Citrix XenApp farm. Being a diligent IT person you set up a pilot: one or two machines with all the right software and settings. Then you carefully select a group of pilot users in such a way that they represent the organization’s employee types statistically correctly. Then you let them work on the new platform, ironing out bugs and such. At the end of that period, you have a great new platform. But there is one big question left: how many servers to buy?!
Logs & Metrics

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware