Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to confirm a search is using auto summarized data (Report Acceleration) ?

KarunK
Contributor
‎05-30-2013 06:32 PM

Hi All,

I have a search like below which is using "Report Acceleration" (Retention 7days). Even though the Report Acceleration Summary saying reporting is being accelerated, I am not seeing any visible improvement in report generation.

index="accesslog" status="200" | stats count by client_ip service | geoip client_ip

Is there anyway other-way to confirm that the search is using the auto accelerated summery for generating results/report. Does "Job Inspector" show this information ?

Any advise will be well appreciated.

Thanks

KK

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎05-30-2013 09:29 PM

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

View solution in original post

Reply
Solved! Jump to solution

sansay
Contributor
‎12-18-2013 04:51 PM

A much better way to confirm that you are indeed using the accelerated summary was shown to me by Fred at Splunk tech support.
1. After your run a search at the web interface, click on the Save button, then select "Save and share results..."

  1. This will show you a dialog with the link to the results. Copy the job ID numbers, from "sid=" to & (ampersand)
  2. Close
  3. Open the Job management dialog by clicking on Jobs
  4. Paste the job ID in the search field, this should bring it in the list
  5. Click on Inspect: you should see a dialog open with Debug statements like this: DEBUG: [your-host-name] Using summaries for search, summary_id=DB9A5532-6493-4FD4-97F6-C454AFF89D57_search_username_68c6a0bd6570ee2b, maxtimespan=
  6. the number "68c6a0bd6570ee2b" should match the summary ID of your accelerated search which you can see by clicking on Manager, then Report Acceleration Summaries
Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎05-30-2013 09:29 PM

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...