Reporting

How to confirm a search is using auto summarized data (Report Acceleration) ?

KarunK
Contributor

Hi All,

I have a search like below which is using "Report Acceleration" (Retention 7days). Even though the Report Acceleration Summary saying reporting is being accelerated, I am not seeing any visible improvement in report generation.

index="accesslog" status="200" | stats count by client_ip service | geoip client_ip

Is there anyway other-way to confirm that the search is using the auto accelerated summery for generating results/report. Does "Job Inspector" show this information ?

Any advise will be well appreciated.

Thanks

KK

Tags (1)
0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

View solution in original post

sansay
Contributor

A much better way to confirm that you are indeed using the accelerated summary was shown to me by Fred at Splunk tech support.
1. After your run a search at the web interface, click on the Save button, then select "Save and share results..."

  1. This will show you a dialog with the link to the results. Copy the job ID numbers, from "sid=" to & (ampersand)
  2. Close
  3. Open the Job management dialog by clicking on Jobs
  4. Paste the job ID in the search field, this should bring it in the list
  5. Click on Inspect: you should see a dialog open with Debug statements like this: DEBUG: [your-host-name] Using summaries for search, summary_id=DB9A5532-6493-4FD4-97F6-C454AFF89D57_search_username_68c6a0bd6570ee2b, maxtimespan=
  6. the number "68c6a0bd6570ee2b" should match the summary ID of your accelerated search which you can see by clicking on Manager, then Report Acceleration Summaries

ChrisG
Splunk Employee
Splunk Employee

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...