Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search to find accelerated searches, their users, and their access count?

knielsen
Contributor
‎10-27-2016 05:33 AM

We have a rather larger Splunk installation and user base. While checking our system for optimizations, we found that there are a lot of Accelerated Searches with 0 Access Count.

The Report Acceleration Summaries dashboard doesn't tell us the owner or the app of the report. Since we have >140 reports to check, it would be a bit tedious to write down the names of the Reports, and look for them in the global list, to find out the owner. You can't sort by accelerated / non-accelerated in the global list of searches/reports either.

How can I search for accelerated searches, their users and ideally their access count?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dkeck
Influencer
‎10-28-2016 03:04 AM

HI,

there used to be an rest endpoint | rest splunk_server=local services/datamodel/acceleration but its deprecated.

Maybe that will lead you to an alternative solution?

Kidn Regards

View solution in original post

Reply
Solved! Jump to solution
Solution

dkeck
Influencer
‎10-28-2016 03:04 AM

HI,

there used to be an rest endpoint | rest splunk_server=local services/datamodel/acceleration but its deprecated.

Maybe that will lead you to an alternative solution?

Kidn Regards

Reply
Solved! Jump to solution

knielsen
Contributor
‎10-28-2016 05:54 AM

Actually, it did point me to looking at rest interface, and coming up with a solution.

So the endpoint I want to use seems to be | rest servicesNS/-/-/admin/summarization.

For whatever reason, that doesn't give me back the names of the searches, but puts the name into a constructed field ending with .name, that has the name of the saved search into it. Since the output is a table, all 146 rows of the output had 146 *.name fields, where only one had the name with some other info I needed to strip into them.

I ended up with this query now, i may get some additional fields into it, but this is basically it:

| rest servicesNS/-/-/admin/summarization |fields author eai:acl.app eai:acl.owner summary.access_count summary.load_factor *.name | foreach *.name [eval searchname=coalesce(replace('<<FIELD>>',"([^;]+;[^;]+;)(.+)","\2"),searchname)] | fields - *.name | sort summary.access_count

Should I mark yours as accepted answer now, because it made me look in the right direction?

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎10-28-2016 06:27 AM

knielson,

I would mark it as answered - sometimes a good pointer is all the answer that's needed. And by the way, we really appreciate you spending the time to write up what you found, because that's what's really helpful to those who search for these keywords later and come across this answer!

Thanks,
Rich

0 Karma
Reply
Solved! Jump to solution

knielsen
Contributor
‎10-28-2016 06:41 AM

Yeah, I will.

And now I am digging into "does access count=0 really means it is never used?". From 146 accelerated searches in our system, 98 have access count 0, many of those with a load factor > 0.5. That seems brutal if I understand the docs correctly. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...