Hi Jkat thanks for your effort on this, I had tried the above query to fetch the summarization details by executing the query for 24 hrs time frame from the search head cluster web console. But I am getting the following errors while executing the query.

| rest /servicesNS/nobody/SA-critical_security_controls/admin/summarization/

Error Details:

REST Processor: Failed to fetch REST endpoint uri=https://x.x.x.x:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server https://x.x.x.x:8089. Check that the URI path provided exists in the REST API. Learn More

[splunk01] REST Processor: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API. Learn More

[splunk02] REST Processor: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API. Learn More

[splunk03] REST Processor: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API. Learn More

Splunk01,02 & 03 are the indexer nodes

Job :

Unexpected status for to fetch REST endpoint uri=https://x.x.x.x:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server=https://x.x.x.x:8089 - Forbidden

[splunk01] Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server=https://127.0.0.1:8089 - Not Found

Kindly guide me on this please

try adding splunk_server="local" to your rest call.

Hi cmerriman, thanks for you effort, could please tell me where to include this splunk_server="local" in the search query.

Kindly guide me on this please.

like so:

| rest /servicesNS/nobody/APPNAME/admin/summarization/ splunk_server="local"| eval sid="_ACCELERATE_".'summary.regular_id'."_ACCELERATE_"  | table *.name sid

you just need to add it to the end of your rest call.

Hi Cmerriman, I am getting the below error when executing the above query.

query details :

| rest /servicesNS/nobody/SA-critical_security_controls/admin/summarization/ splunk_server="local"| eval sid="ACCELERATE".'summary.regular_id'."ACCELERATE" | table *.name sid

REST Processor: Failed to fetch REST endpoint uri=https://x.x.x.x:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server https://x.x.x.x:8089. Check that the URI path provided exists in the REST API

Job :
No matching filed exits

Unexpected status for to fetch REST endpoint uri=https://x.x.x.x:8089/servicesNS/nobody/SA-critical_security_controls/admin/summarization/?count=0 from server=https://x.x.x.x:8089- Forbidden

Kindly guide me on this

Are you a member of a group or a user that has the Splunk admin role?

Hi jkat, thanks for effort, I have assigned with the admin role. But still i could see this error when i execute the query. Kindly guide me on this.

Does it work for the other app names?

DA-deployment_monitor
search

Hi Jkat54, yes I had tried for other apps and fetch the saved search names that are configured to DA-deployment_monitor, sos, search apps. These apps are configured under deployment instances.

DA-deployment_monitor

[sourcetypes_summary_10m]
dispatch.earliest_time=-24h@h
dispatch.latest_time=now
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -3mon@d
search = sourcetypes_summary_10m

[forwarders_summary_10m]
dispatch.earliest_time=-24h@h
dispatch.latest_time=now
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -3mon@d
request.ui_dispatch_app = splunk_deployment_monitor
search = forwarders_summary_10m

similarly we have almost 10 saved searches name, so let me know how to fix the skipped search issue, what configuration change I should make to fix this issue.

thanks in advance.

Hi Jkat54, Can you guide me on how to fix the skipped search issue for above mentioned saved search names.

thanks in advance.

or, does your user role have the dispatch_rest_to_indexer or rest_properties_get capability assigned to it?

Hi Cmerriman, I had tried for other apps and fetch the saved search names that are configured to DA-deployment_monitor, sos, search apps. These apps are configured under deployment instances. I have checked the roles and capabilities assigned and found both "dispatch_rest_to_indexer or rest_properties_get capability" are not assigned to my role (admin). But still I could get the output.

DA-deployment_monitor

[sourcetypes_summary_10m]
dispatch.earliest_time=-24h@h
dispatch.latest_time=now
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -3mon@d
search = sourcetypes_summary_10m

[forwarders_summary_10m]
dispatch.earliest_time=-24h@h
dispatch.latest_time=now
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -3mon@d
request.ui_dispatch_app = splunk_deployment_monitor
search = forwarders_summary_10m

similarly we have almost 10 saved searches name, so let me know how to fix the skipped search issue, what configuration change I should make to fix this issue.

thanks in advance.

Hi cmerriman, thanks for your effort on this, I have admin role assigned but both this capability are assigned to the admin role. Could please guide me on this.

thanks in advance.

I cant get this to work but here's an attempt to make one search that identifies the accelerated searches:

index="_internal" source="*scheduler.log" savedsplunker savedsearch_name=_ACCELERATE*  | stats count BY user, savedsearch_name, host,status, app | rename savedsearch_name as sid | map maxsearches=50  search="| join sid [| rest /servicesNS/nobody/$app$/admin/summarization/ | eval sid="_ACCELERATE_".'summary.regular_id'."_ACCELERATE_" | table sid]"

Actually, this is pretty good too:

 | rest /servicesNS/nobody/APPNAME/admin/summarization/ | eval sid="_ACCELERATE_".'summary.regular_id'."_ACCELERATE_"  | table *.name sid