Reporting

How to confirm a search is using auto summarized data (Report Acceleration) ?

KarunK
Contributor

Hi All,

I have a search like below which is using "Report Acceleration" (Retention 7days). Even though the Report Acceleration Summary saying reporting is being accelerated, I am not seeing any visible improvement in report generation.

index="accesslog" status="200" | stats count by client_ip service | geoip client_ip

Is there anyway other-way to confirm that the search is using the auto accelerated summery for generating results/report. Does "Job Inspector" show this information ?

Any advise will be well appreciated.

Thanks

KK

Tags (1)
0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

View solution in original post

sansay
Contributor

A much better way to confirm that you are indeed using the accelerated summary was shown to me by Fred at Splunk tech support.
1. After your run a search at the web interface, click on the Save button, then select "Save and share results..."

  1. This will show you a dialog with the link to the results. Copy the job ID numbers, from "sid=" to & (ampersand)
  2. Close
  3. Open the Job management dialog by clicking on Jobs
  4. Paste the job ID in the search field, this should bring it in the list
  5. Click on Inspect: you should see a dialog open with Debug statements like this: DEBUG: [your-host-name] Using summaries for search, summary_id=DB9A5532-6493-4FD4-97F6-C454AFF89D57_search_username_68c6a0bd6570ee2b, maxtimespan=
  6. the number "68c6a0bd6570ee2b" should match the summary ID of your accelerated search which you can see by clicking on Manager, then Report Acceleration Summaries

ChrisG
Splunk Employee
Splunk Employee

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...