Reporting

How to confirm a search is using auto summarized data (Report Acceleration) ?

KarunK
Contributor

Hi All,

I have a search like below which is using "Report Acceleration" (Retention 7days). Even though the Report Acceleration Summary saying reporting is being accelerated, I am not seeing any visible improvement in report generation.

index="accesslog" status="200" | stats count by client_ip service | geoip client_ip

Is there anyway other-way to confirm that the search is using the auto accelerated summery for generating results/report. Does "Job Inspector" show this information ?

Any advise will be well appreciated.

Thanks

KK

Tags (1)
0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

View solution in original post

sansay
Contributor

A much better way to confirm that you are indeed using the accelerated summary was shown to me by Fred at Splunk tech support.
1. After your run a search at the web interface, click on the Save button, then select "Save and share results..."

  1. This will show you a dialog with the link to the results. Copy the job ID numbers, from "sid=" to & (ampersand)
  2. Close
  3. Open the Job management dialog by clicking on Jobs
  4. Paste the job ID in the search field, this should bring it in the list
  5. Click on Inspect: you should see a dialog open with Debug statements like this: DEBUG: [your-host-name] Using summaries for search, summary_id=DB9A5532-6493-4FD4-97F6-C454AFF89D57_search_username_68c6a0bd6570ee2b, maxtimespan=
  6. the number "68c6a0bd6570ee2b" should match the summary ID of your accelerated search which you can see by clicking on Manager, then Report Acceleration Summaries

ChrisG
Splunk Employee
Splunk Employee

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...