uberAgent

Changing the Accelerated Time Range

uberAgent’s dashboards make use of a Splunk technology called accelerated data model. In a nutshell, an accelerated data model relies on an additional index that speeds up searches by 50x to 100x. As a caveat, an accelerated data model creates a slightly higher CPU load during index time and takes up more disk space on the indexers.

When Dashboards Might Load Slowly

You may notice that dashboards load slowly if the selected time range goes further back than seven days. This is due to the fact that uberAgent’s default accelerated time range is exactly seven days. Older events will be included in searches and dashboards, too, of course, given an appropriate time range was selected, but will be a lot slower to come up.

What To Do About It

To speed up searches that go further back than seven days you can increase the summary range, i.e. the number of days the accelerated data goes back in time. This can be done via the UI or via configuration files. In both cases, the actually changed setting is stored in [uberagent app directory]\local\datamodels.conf on the search heads.

Important: After updating the uberAgent search head (dashboard) app, make sure your changed file(s) in the local subdirectory are still there.

User Interface

To change the accelerated summary range via the UI navigate to Settings > Data models and click Edit > Edit Acceleration for any of the uberAgent data models:

2019-12-02-changing-the-accelerated-time-range-1

Select the desired summary range in the dialog that comes up:

2019-12-02-changing-the-accelerated-time-range-2

Configuration File

To change the accelerated summary range via the configuration files:

  • Create a new directory $SPLUNK_HOME\etc\apps\uberAgent\local (if it does not already exist)
  • Copy $SPLUNK_HOME\etc\apps\uberAgent\default\datamodels.conf to $SPLUNK_HOME\etc\apps\uberAgent\local\datamodels.conf
  • Edit the setting acceleration.earliest_time in $SPLUNK_HOME\etc\apps\uberAgent\local\datamodels.conf
  • Restart Splunk

Estimating Disk Space Requirements

Before you change the accelerated summary range you should make sure that sufficient disk space is available. To determine the disk space currently occupied by the high-performance analytics store (the special index used by data model acceleration) navigate to Settings > Data models in the Splunk UI and click the arrow next to uberAgent. You should see information similar to the following:

2019-12-02-changing-the-accelerated-time-range-3

This shows the summary range (the default is 604800 seconds which is equivalent to 7 days) and the Size on Disk. If you plan to extend the summary range to a month expect an approximate increase by 4x.

Changing the Accelerated Time Range