Reporting

Looking for Report Acceleration info in _internal

lguinn2
Legend

For my report acceleration summaries, I can see some statistics in the Splunk Manager. I've read the manual section on Manage Report Acceleration, so I know about the Summarization Load statistic and how it is calculated.

My question is: can I find out more about when the summarization tasks actually run behind the scenes, and how much load that is causing on my indexers? I browsed through the _internal index, but I didn't find anything obvious.

Where is creation/maintenance of report acceleration summaries logged?

Tags (1)
0 Karma
1 Solution

jtrucks
Splunk Employee
Splunk Employee

You can look at the logs on the server for some minor bit more data about the job, or you can do a search like:

index=_audit user=yourusername

that will get you some information if you know the username but not the jobid. If you know the jobid, you can try (example shows a real jobid, but replace with the correct one for your search):

index=_audit *1375207557.136764*

You might need to cull out splunkweb accesses by adding:

...  NOT *POST* NOT *GET*

Otherwise, you can get the same information from the logs:

grep 1375207557.136764 $SPLUNKHOME/var/log/splunk

Also, I found some intersting things using:

index=_* *summary*
--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

You can look at the logs on the server for some minor bit more data about the job, or you can do a search like:

index=_audit user=yourusername

that will get you some information if you know the username but not the jobid. If you know the jobid, you can try (example shows a real jobid, but replace with the correct one for your search):

index=_audit *1375207557.136764*

You might need to cull out splunkweb accesses by adding:

...  NOT *POST* NOT *GET*

Otherwise, you can get the same information from the logs:

grep 1375207557.136764 $SPLUNKHOME/var/log/splunk

Also, I found some intersting things using:

index=_* *summary*
--
Jesse Trucks
Minister of Magic
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...