Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for Report Acceleration info in _internal

lguinn2
Legend
‎05-30-2013 10:07 AM

For my report acceleration summaries, I can see some statistics in the Splunk Manager. I've read the manual section on Manage Report Acceleration, so I know about the Summarization Load statistic and how it is calculated.

My question is: can I find out more about when the summarization tasks actually run behind the scenes, and how much load that is causing on my indexers? I browsed through the _internal index, but I didn't find anything obvious.

Where is creation/maintenance of report acceleration summaries logged?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎07-30-2013 11:22 AM

You can look at the logs on the server for some minor bit more data about the job, or you can do a search like:

index=_audit user=yourusername

that will get you some information if you know the username but not the jobid. If you know the jobid, you can try (example shows a real jobid, but replace with the correct one for your search):

index=_audit *1375207557.136764*

You might need to cull out splunkweb accesses by adding:

...  NOT *POST* NOT *GET*

Otherwise, you can get the same information from the logs:

grep 1375207557.136764 $SPLUNKHOME/var/log/splunk

Also, I found some intersting things using:

index=_* *summary*
--
Jesse Trucks
Minister of Magic

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎07-30-2013 11:22 AM

You can look at the logs on the server for some minor bit more data about the job, or you can do a search like:

index=_audit user=yourusername

that will get you some information if you know the username but not the jobid. If you know the jobid, you can try (example shows a real jobid, but replace with the correct one for your search):

index=_audit *1375207557.136764*

You might need to cull out splunkweb accesses by adding:

...  NOT *POST* NOT *GET*

Otherwise, you can get the same information from the logs:

grep 1375207557.136764 $SPLUNKHOME/var/log/splunk

Also, I found some intersting things using:

index=_* *summary*
--
Jesse Trucks
Minister of Magic
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...