Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to identify a skipped scheduled accelerated report ?

Glasses2
Communicator
‎09-24-2024 08:22 AM

I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin.
The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_

From _internal its in search app, report acceleration, and user nobody.  _Audit provides no clues either.

How do I trace this to the source?

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 07:14 AM

Hi

this is either DM acceleration or Report acceleration.  

_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_

Shows that it is under search & report app, it's owned by nobody. 

123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎09-24-2024 08:57 AM

Hi @Glasses2 

you can look for skipped searches in moniotoring console 

Scheduler Activity: Instance or deployment and bottom of the dashboard you will find panel named 

Count of Skipped Reports by Name and Reason

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎09-24-2024 09:36 AM

Thank you, I am aware of that modal in MC but it gives me the same arcane name


for example 
>>> _ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_"


However, the origin host is my dedicated MC splunk server and there is only 1 accelerate report icon listed for >License Usage Data Cube, so I assume that is the culprit.   

But why is it skipping?  I clicked the accelerate option, perhaps I need to adjust the max scheduled searches?

Yes I found a number of garbage scheduled reports from years ago eating up resources and starving the accelerated report for the License Usage Data Cube.   I incorrectly assumed that report would have priority to resources.

Thank you for your help.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 07:14 AM

Hi

this is either DM acceleration or Report acceleration.  

_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_

Shows that it is under search & report app, it's owned by nobody. 

123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.

r. Ismo

Reply
Solved! Jump to solution

Glasses2
Communicator
‎09-30-2024 06:21 AM

@isoutamo 

Yes you are correct.  The acceleration detail has an Summary Id , which does correspond to the savedsearch_name 

_ACCELERATE_<redacted>_search_nobody_<Summary Id>_ACCELERATE_

This confirms the issue is the License Usage Data Cube  cube report/acceleration.

I will need to adjust the search resources to prevent the skipping.

Thank you!!!

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...