Hi All, I need to filter out only the reports that are configured as Accelerated Reports in searches,Reports and Alerts. I had run the below query to filter out the Accelerated Reports but it gives me each time a different result. So please guide me whether the below search query needs to include any other information.
index=_internal source=*scheduler.log* savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host
thanks in advance.
HI @Hemnaath,
Can you please try this?
| rest /servicesNS/-/-/saved/searches splunk_server=local | where auto_summarize=1 | table title
Thanks
Hi Kamlesh, thanks for your effort on this when I execute the above query, I am getting some reports details with statistics count as 85, but how do I confirm whether they are configured as Accelerated Reports.
And also I am getting some statistics count as 261 when I execute the below query.
i`ndex=_internal source=*scheduler.log* savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host`
Kindly guide me on this.
thanks in advances.
HI @Hemnaath,
auto_summarize=1
in savedsearch says it's accelerated.
Please check "auto summarization options" in below link.
https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Savedsearchesconf
You can do it practically, just check "Enabling report acceleration when you create a report" in below link.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Manageacceleratedsearchsummaries
I hope it will help you.
Thanks
hello there,
give this a try:
| rest splunk_server=local /servicesNS/-/-/saved/searches
| search auto_summarize = 1
| table title search eai:acl.app eai:acl.owner auto_summarize.dispatch.earliest_time
hope it helps
Hi Adonio, thanks for your effort on this, After executing the above query, I am getting some report details with statistics count as 85, So it mean we have 85 reports configured as Accelerated Reports or how do I confirm that they are all configured as Accelerated Reports.
Also I am getting statistics count as 261 when I execute the below query, so what is the difference between savedsearch_name=ACCELERATE and your query.
index=_internal source=*scheduler.log* savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host
Kindly guide me on this.
thanks in advance.
not sure what do you mean by statistics count, but if in the table has 85 rows, with 85 different title values, then you have 85 accelerated reports...
this search confirmed these reports are accelerated, you can go to the relevant savedsearches.conf or navigate to reports page of an app and hit the little > icon next to report name and make sure that Acceleration is indeed "enabled"
hey in the splunk search console we could see Events, Pattern, statistics, Visualization tabs right, in these under statistic tab, I could see 85 count.
Yes I have gone through each reports under --> settings-->searches,report,alerts,--> Specific Report name-->icon with thunder symbol and when placed over the symbol it pops out - This model is accelerated.
thanks for your help on this.
you are welcome,
be carefull with your searches and the MC (splunk monitoring console). i reccomend to relay on the searches myself and @kamlesh_vaghela provided in answers here.
pasy attention of you see a pattern like ACCELERATE_DM that means its a data model acceleration and not report acceleration.
if that answers your question, kindly mark question as answered and upvote any comment / answer that helped.
cheers
hey then how to find out the accelerated reports configured in our environment. So you mean to say that data model acceleration is different from Accelerated reports.
When I execute this query i am getting below results:
index=_internal source=*scheduler.log* savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host
_ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_66aacf41e8ea33d9_ACCELERATE_
_ACCELERATE_DM_Splunk_SA_CIM_Network_Sessions_ACCELERATE_
_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_
_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_85ce9a3b65831f9d_ACCELERATE_
_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_3c59e7c4c93a6544_ACCELERATE_
Kindly guide me whether these reports are accelerated report or data model acceleration.
yes ... look at the format
ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_66aacf41e8ea33d9_ACCELERATE
_ACCELERATE_SplunkServerGUID_AppName_Owner_SearchID_ACCELERATE
OR
ACCELERATE_DM_Splunk_SA_CIM_Network_Sessions_ACCELERATE
_ACCELERATE_DM_DataModelName_ACCELERATE
please use the search we provided above with the | rest command
read here about the difference between Data Model Acceleration and Report Acceleration:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Acceleratedatamodels
thanks adonio... let me check the report once again.