You are a Splunk administrator for a large e-commerce company. The company ingests approximately 500 GB of web server logs per day into a single index named 'web_logs'. A data model named 'Web_Transactions' has been created to analyze user browsing behavior. The data model has a root event with no constraints, and three child objects: 'Page_Views', 'Searches', and 'Purchases'. Each child object has a constraint based on a key-value pair in the logs: e.g., 'action=view', 'action=search', 'action=purchase'. The data model is accelerated with a 7-day summary, but reports that query specific child objects are taking over 10 minutes to return. The reports use |tstats and filter on common fields like 'user_id' and 'session_id'. The admin suspects the acceleration summary is too large. Which of the following actions will most effectively reduce report latency while maintaining the ability to analyze all three transaction types?
Reduces the summary size by excluding non-relevant events.
Why this answer
Option D is correct because adding a constraint to the root event to filter only events with action=view, action=search, or action=purchase reduces the size of the acceleration summary. The root event currently has no constraints, so the acceleration summary includes all 500 GB of daily web logs, even though only three action types are needed. By constraining the root event, the summary stores only relevant data, making |tstats queries on child objects much faster.
Exam trap
The trap here is that candidates may think increasing the acceleration time range will help by caching more data, but it actually exacerbates the problem by making the summary larger and slower to query.
How to eliminate wrong answers
Option A is wrong because using |datamodel with the 'search' parameter does not leverage acceleration; it runs a real-time search against raw data, which would be slower than using |tstats on an accelerated data model. Option B is wrong because removing child objects and using only the root event would require manual filtering for each transaction type, eliminating the structured acceleration benefits and likely increasing query complexity and latency. Option C is wrong because increasing the acceleration summary time range to 30 days would make the summary even larger, worsening the performance issue rather than solving it.