Reporting

How to track the cause of skipped saved searches?

SplunkTrust
SplunkTrust

We are having a decent amount of skipped searches. I ran the following command to check the skipped searches on one of my servers:

index=_internal sourcetype=scheduler status=skipped host=myserver | stats count by savedsearch_name

The savedsearch_name returns values such as:

_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_02593174e33fc45d_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_09f63ad7d1a1d06b_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_0ac745b14ecab8b6_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_108c58e6f626cb16_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_110c3882de4a5890_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_130fada24e08bb51_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_17754ec964ae92cb_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_21d8331e5fa9a96d_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_2f599eff4eea9aea_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_2f7c6ecde9ee6b75_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_45ffbfd3e014bed8_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_46ab7372a86e39df_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_4f684a8169c5b8b0_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_523964745249ac42_ACCELERATE_
_ACCELERATE_E4EADAFE-9F45-4619-9A10-5DB45EDD1CDD_myapp_metrics_user_5582c048c1849741_ACCELERATE_

These names do not help me correlate to a real saved search out there. Does anyone know of a REST command or any command that I can run that would help me track these skipped searches down?

SplunkTrust
SplunkTrust

Those are searches for report acceleration. If you get the "savedsearchid" field from the results it will give you the name of the user and the app, and the "searchtype" field will tell you the type of acceleration.

0 Karma