Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a search to find accelerated sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a rather larger Splunk installation and user base. While checking our system for optimizations, we found that there are a lot of Accelerated Searches with 0 Access Count.
The Report Acceleration Summaries dashboard doesn't tell us the owner or the app of the report. Since we have >140 reports to check, it would be a bit tedious to write down the names of the Reports, and look for them in the global list, to find out the owner. You can't sort by accelerated / non-accelerated in the global list of searches/reports either.
How can I search for accelerated searches, their users and ideally their access count?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
there used to be an rest endpoint | rest splunk_server=local services/datamodel/acceleration but its deprecated.
Maybe that will lead you to an alternative solution?
Kidn Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
there used to be an rest endpoint | rest splunk_server=local services/datamodel/acceleration but its deprecated.
Maybe that will lead you to an alternative solution?
Kidn Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, it did point me to looking at rest interface, and coming up with a solution.
So the endpoint I want to use seems to be | rest servicesNS/-/-/admin/summarization.
For whatever reason, that doesn't give me back the names of the searches, but puts the name into a constructed field ending with .name, that has the name of the saved search into it. Since the output is a table, all 146 rows of the output had 146 *.name fields, where only one had the name with some other info I needed to strip into them.
I ended up with this query now, i may get some additional fields into it, but this is basically it:
| rest servicesNS/-/-/admin/summarization |fields author eai:acl.app eai:acl.owner summary.access_count summary.load_factor *.name | foreach *.name [eval searchname=coalesce(replace('<<FIELD>>',"([^;]+;[^;]+;)(.+)","\2"),searchname)] | fields - *.name | sort summary.access_count
Should I mark yours as accepted answer now, because it made me look in the right direction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
knielson,
I would mark it as answered - sometimes a good pointer is all the answer that's needed. And by the way, we really appreciate you spending the time to write up what you found, because that's what's really helpful to those who search for these keywords later and come across this answer!
Thanks,
Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I will.
And now I am digging into "does access count=0 really means it is never used?". From 146 accelerated searches in our system, 98 have access count 0, many of those with a load factor > 0.5. That seems brutal if I understand the docs correctly. 🙂
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
