How to filter out only the accelerated reports in ...

Hemnaath · ‎12-13-2017

Hi All, I need to filter out only the reports that are configured as Accelerated Reports in searches,Reports and Alerts. I had run the below query to filter out the Accelerated Reports but it gives me each time a different result. So please guide me whether the below search query needs to include any other information.

index=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host

thanks in advance.

kamlesh_vaghela · ‎12-13-2017

HI @Hemnaath,

Can you please try this?

| rest /servicesNS/-/-/saved/searches splunk_server=local | where auto_summarize=1 | table  title

Thanks

Hemnaath · ‎12-13-2017

Hi Kamlesh, thanks for your effort on this when I execute the above query, I am getting some reports details with statistics count as 85, but how do I confirm whether they are configured as Accelerated Reports.

And also I am getting some statistics count as 261 when I execute the below query.

i`ndex=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host`

Kindly guide me on this.
thanks in advances.

kamlesh_vaghela · ‎12-13-2017

HI @Hemnaath,

auto_summarize=1 in savedsearch says it's accelerated.

Please check "auto summarization options" in below link.

https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Savedsearchesconf

You can do it practically, just check "Enabling report acceleration when you create a report" in below link.

http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Manageacceleratedsearchsummaries

I hope it will help you.

Thanks

adonio · ‎12-13-2017

hello there,

give this a try:

| rest splunk_server=local /servicesNS/-/-/saved/searches
| search auto_summarize = 1
| table title search eai:acl.app eai:acl.owner auto_summarize.dispatch.earliest_time

hope it helps

Hemnaath · ‎12-13-2017

Hi Adonio, thanks for your effort on this, After executing the above query, I am getting some report details with statistics count as 85, So it mean we have 85 reports configured as Accelerated Reports or how do I confirm that they are all configured as Accelerated Reports.

Also I am getting statistics count as 261 when I execute the below query, so what is the difference between savedsearch_name=ACCELERATE and your query.

index=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host

Kindly guide me on this.
thanks in advance.

adonio · ‎12-13-2017

not sure what do you mean by statistics count, but if in the table has 85 rows, with 85 different title values, then you have 85 accelerated reports...
this search confirmed these reports are accelerated, you can go to the relevant savedsearches.conf or navigate to reports page of an app and hit the little > icon next to report name and make sure that Acceleration is indeed "enabled"

Hemnaath · ‎12-13-2017

hey in the splunk search console we could see Events, Pattern, statistics, Visualization tabs right, in these under statistic tab, I could see 85 count.

Yes I have gone through each reports under --> settings-->searches,report,alerts,--> Specific Report name-->icon with thunder symbol and when placed over the symbol it pops out - This model is accelerated.

thanks for your help on this.

adonio · ‎12-13-2017

@Hemnaath,

you are welcome,
be carefull with your searches and the MC (splunk monitoring console). i reccomend to relay on the searches myself and @kamlesh_vaghela provided in answers here.
pasy attention of you see a pattern like ACCELERATE_DM that means its a data model acceleration and not report acceleration.

if that answers your question, kindly mark question as answered and upvote any comment / answer that helped.

cheers

Hemnaath · ‎12-13-2017

hey then how to find out the accelerated reports configured in our environment. So you mean to say that data model acceleration is different from Accelerated reports.

When I execute this query i am getting below results:

  index=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host  

_ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_66aacf41e8ea33d9_ACCELERATE_  
_ACCELERATE_DM_Splunk_SA_CIM_Network_Sessions_ACCELERATE_   
_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_ 
_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_85ce9a3b65831f9d_ACCELERATE_   
_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_3c59e7c4c93a6544_ACCELERATE_

Kindly guide me whether these reports are accelerated report or data model acceleration.

adonio · ‎12-13-2017

yes ... look at the format
ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_66aacf41e8ea33d9_ACCELERATE
_ACCELERATE_SplunkServerGUID_AppName_Owner_SearchID_ACCELERATE

OR
ACCELERATE_DM_Splunk_SA_CIM_Network_Sessions_ACCELERATE
_ACCELERATE_DM_DataModelName_ACCELERATE

please use the search we provided above with the | rest command
read here about the difference between Data Model Acceleration and Report Acceleration:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Acceleratedatamodels

Hemnaath · ‎12-13-2017

thanks adonio... let me check the report once again.

How to filter out only the accelerated reports in splunk ?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk