Reporting

Looking for Report Acceleration info in _internal

lguinn2
Legend

For my report acceleration summaries, I can see some statistics in the Splunk Manager. I've read the manual section on Manage Report Acceleration, so I know about the Summarization Load statistic and how it is calculated.

My question is: can I find out more about when the summarization tasks actually run behind the scenes, and how much load that is causing on my indexers? I browsed through the _internal index, but I didn't find anything obvious.

Where is creation/maintenance of report acceleration summaries logged?

Tags (1)
0 Karma
1 Solution

jtrucks
Splunk Employee
Splunk Employee

You can look at the logs on the server for some minor bit more data about the job, or you can do a search like:

index=_audit user=yourusername

that will get you some information if you know the username but not the jobid. If you know the jobid, you can try (example shows a real jobid, but replace with the correct one for your search):

index=_audit *1375207557.136764*

You might need to cull out splunkweb accesses by adding:

...  NOT *POST* NOT *GET*

Otherwise, you can get the same information from the logs:

grep 1375207557.136764 $SPLUNKHOME/var/log/splunk

Also, I found some intersting things using:

index=_* *summary*
--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

You can look at the logs on the server for some minor bit more data about the job, or you can do a search like:

index=_audit user=yourusername

that will get you some information if you know the username but not the jobid. If you know the jobid, you can try (example shows a real jobid, but replace with the correct one for your search):

index=_audit *1375207557.136764*

You might need to cull out splunkweb accesses by adding:

...  NOT *POST* NOT *GET*

Otherwise, you can get the same information from the logs:

grep 1375207557.136764 $SPLUNKHOME/var/log/splunk

Also, I found some intersting things using:

index=_* *summary*
--
Jesse Trucks
Minister of Magic
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...