Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to confirm a search is using auto summarized data (Report Acceleration) ?

KarunK
Contributor
‎05-30-2013 06:32 PM

Hi All,

I have a search like below which is using "Report Acceleration" (Retention 7days). Even though the Report Acceleration Summary saying reporting is being accelerated, I am not seeing any visible improvement in report generation.

index="accesslog" status="200" | stats count by client_ip service | geoip client_ip

Is there anyway other-way to confirm that the search is using the auto accelerated summery for generating results/report. Does "Job Inspector" show this information ?

Any advise will be well appreciated.

Thanks

KK

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎05-30-2013 09:29 PM

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

View solution in original post

Reply
Solved! Jump to solution

sansay
Contributor
‎12-18-2013 04:51 PM

A much better way to confirm that you are indeed using the accelerated summary was shown to me by Fred at Splunk tech support.
1. After your run a search at the web interface, click on the Save button, then select "Save and share results..."

  1. This will show you a dialog with the link to the results. Copy the job ID numbers, from "sid=" to & (ampersand)
  2. Close
  3. Open the Job management dialog by clicking on Jobs
  4. Paste the job ID in the search field, this should bring it in the list
  5. Click on Inspect: you should see a dialog open with Debug statements like this: DEBUG: [your-host-name] Using summaries for search, summary_id=DB9A5532-6493-4FD4-97F6-C454AFF89D57_search_username_68c6a0bd6570ee2b, maxtimespan=
  6. the number "68c6a0bd6570ee2b" should match the summary ID of your accelerated search which you can see by clicking on Manager, then Report Acceleration Summaries
Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎05-30-2013 09:29 PM

You can examine details about the summary using the Report Acceleration Summaries page in Manager, and you can verify the summary from that page as well. See Manage accelerated search summaries in the Knowledge Manager Manual for more information.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...