Reporting

How to identify accelerated saved searches that are rarely or never invoked?

Ricapar
Communicator

Over the years we've allowed a lot of users to create and save their own searches, as well as allowing them to enable search acceleration on those searches.

All of those saved and accelerated searches are now starting to make an impact on performance.

I'd like to identify saved searches that have search acceleration turned on, but the searches are never or rarely invoked, and/or the acceleration summary is never used.

Any suggestions on how to approach this?

Flynt
Splunk Employee
Splunk Employee

You might be able to use |rest to accomplish this. Something like

index=_audit action=search [|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title|rename title as query]

Note that you'll need to have admin access to do this.

A quick explanation -

index=_audit action=search

will show you what searches have been called.

|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title|rename title as query

Check the saved searches endpoint for all users and all apps (- is wildcard in the API). Get only those that are accelerated (auto_summarize=1) and return just the title to the subquery.

This is how I check on my own instance anyway. You can do your stats or whatever from here, including finding out what users use them more often, etc. If you want to find which ones are not invoked you can join left with the list of summarized searches.

I do it this way -

|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title |join type=left title [search index=_audit action=search [|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title|rename title as query]|rex field=search ".*savedsearch(?<title>[^']+)"|eval title=trim(title)|stats count by title]

** Make sure you set your timepicker to a reasonable value (IE don't do it over ALL TIME)

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...