Getting Data In
Highlighted

How to filter out only the accelerated reports in splunk ?

Motivator

Hi All, I need to filter out only the reports that are configured as Accelerated Reports in searches,Reports and Alerts. I had run the below query to filter out the Accelerated Reports but it gives me each time a different result. So please guide me whether the below search query needs to include any other information.

index=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host 

thanks in advance.

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

SplunkTrust
SplunkTrust

hello there,

give this a try:

| rest splunk_server=local /servicesNS/-/-/saved/searches
| search auto_summarize = 1
| table title search eai:acl.app eai:acl.owner auto_summarize.dispatch.earliest_time

hope it helps

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

Motivator

Hi Adonio, thanks for your effort on this, After executing the above query, I am getting some report details with statistics count as 85, So it mean we have 85 reports configured as Accelerated Reports or how do I confirm that they are all configured as Accelerated Reports.

Also I am getting statistics count as 261 when I execute the below query, so what is the difference between savedsearch_name=ACCELERATE and your query.

index=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host 

Kindly guide me on this.
thanks in advance.

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

SplunkTrust
SplunkTrust

not sure what do you mean by statistics count, but if in the table has 85 rows, with 85 different title values, then you have 85 accelerated reports...
this search confirmed these reports are accelerated, you can go to the relevant savedsearches.conf or navigate to reports page of an app and hit the little > icon next to report name and make sure that Acceleration is indeed "enabled"

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

Motivator

hey in the splunk search console we could see Events, Pattern, statistics, Visualization tabs right, in these under statistic tab, I could see 85 count.

Yes I have gone through each reports under --> settings-->searches,report,alerts,--> Specific Report name-->icon with thunder symbol and when placed over the symbol it pops out - This model is accelerated.

thanks for your help on this.

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

SplunkTrust
SplunkTrust

@Hemnaath,

you are welcome,
be carefull with your searches and the MC (splunk monitoring console). i reccomend to relay on the searches myself and @kamleshvaghela provided in answers here.
pasy attention of you see a pattern like *
ACCELERATEDM* that means its a data model acceleration and not report acceleration.

if that answers your question, kindly mark question as answered and upvote any comment / answer that helped.

cheers

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

Motivator

hey then how to find out the accelerated reports configured in our environment. So you mean to say that data model acceleration is different from Accelerated reports.

When I execute this query i am getting below results:

  index=_internal source=*scheduler.log*  savedsearch_name=*ACCELERATE* | dedup savedsearch_name host | table savedsearch_name host  

_ACCELERATE_D4D707D0-38F3-4F47-A1AA-9DD305E110D0_DA-deployment_monitor_nobody_66aacf41e8ea33d9_ACCELERATE_  
_ACCELERATE_DM_Splunk_SA_CIM_Network_Sessions_ACCELERATE_   
_ACCELERATE_DM_Splunk_SA_CIM_Network_Resolution_ACCELERATE_ 
_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_85ce9a3b65831f9d_ACCELERATE_   
_ACCELERATE_C090FDA2-105E-4875-A110-3F13FF986151_SA-critical_security_controls_admin_3c59e7c4c93a6544_ACCELERATE_

Kindly guide me whether these reports are accelerated report or data model acceleration.

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

SplunkTrust
SplunkTrust

yes ... look at the format
ACCELERATED4D707D0-38F3-4F47-A1AA-9DD305E110D0DA-deploymentmonitornobody66aacf41e8ea33d9ACCELERATE
ACCELERATESplunkServerGUIDAppNameOwnerSearchIDACCELERATE

OR
ACCELERATEDMSplunkSACIMNetworkSessionsACCELERATE_
ACCELERATEDMDataModelNameACCELERATE

please use the search we provided above with the | rest command
read here about the difference between Data Model Acceleration and Report Acceleration:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Acceleratedatamodels

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

Motivator

thanks adonio... let me check the report once again.

0 Karma
Highlighted

Re: How to filter out only the accelerated reports in splunk ?

SplunkTrust
SplunkTrust

HI @Hemnaath,

Can you please try this?

| rest /servicesNS/-/-/saved/searches splunk_server=local | where auto_summarize=1 | table  title

Thanks

0 Karma