Splunk Search

How to create a search to find accelerated searches, their users, and their access count?

knielsen
Contributor

We have a rather larger Splunk installation and user base. While checking our system for optimizations, we found that there are a lot of Accelerated Searches with 0 Access Count.

The Report Acceleration Summaries dashboard doesn't tell us the owner or the app of the report. Since we have >140 reports to check, it would be a bit tedious to write down the names of the Reports, and look for them in the global list, to find out the owner. You can't sort by accelerated / non-accelerated in the global list of searches/reports either.

How can I search for accelerated searches, their users and ideally their access count?

0 Karma
1 Solution

dkeck
Influencer

HI,

there used to be an rest endpoint | rest splunk_server=local services/datamodel/acceleration but its deprecated.

Maybe that will lead you to an alternative solution?

Kidn Regards

View solution in original post

dkeck
Influencer

HI,

there used to be an rest endpoint | rest splunk_server=local services/datamodel/acceleration but its deprecated.

Maybe that will lead you to an alternative solution?

Kidn Regards

knielsen
Contributor

Actually, it did point me to looking at rest interface, and coming up with a solution.

So the endpoint I want to use seems to be | rest servicesNS/-/-/admin/summarization.

For whatever reason, that doesn't give me back the names of the searches, but puts the name into a constructed field ending with .name, that has the name of the saved search into it. Since the output is a table, all 146 rows of the output had 146 *.name fields, where only one had the name with some other info I needed to strip into them.

I ended up with this query now, i may get some additional fields into it, but this is basically it:

| rest servicesNS/-/-/admin/summarization |fields author eai:acl.app eai:acl.owner summary.access_count summary.load_factor *.name | foreach *.name [eval searchname=coalesce(replace('<<FIELD>>',"([^;]+;[^;]+;)(.+)","\2"),searchname)] | fields - *.name | sort summary.access_count

Should I mark yours as accepted answer now, because it made me look in the right direction?

Richfez
SplunkTrust
SplunkTrust

knielson,

I would mark it as answered - sometimes a good pointer is all the answer that's needed. And by the way, we really appreciate you spending the time to write up what you found, because that's what's really helpful to those who search for these keywords later and come across this answer!

Thanks,
Rich

0 Karma

knielsen
Contributor

Yeah, I will.

And now I am digging into "does access count=0 really means it is never used?". From 146 accelerated searches in our system, 98 have access count 0, many of those with a load factor > 0.5. That seems brutal if I understand the docs correctly. 🙂

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...