Splunk Search

How to identify a skipped scheduled accelerated report ?

Glasses2
Communicator

I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin.
The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_

From _internal its in search app, report acceleration, and user nobody.  _Audit provides no clues either.

How do I trace this to the source?

Thank you

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

this is either DM acceleration or Report acceleration.  

_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_

Shows that it is under search & report app, it's owned by nobody. 

123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.

r. Ismo

View solution in original post

SanjayReddy
SplunkTrust
SplunkTrust

Hi @Glasses2 

you can look for skipped searches in moniotoring console 

Scheduler Activity: Instance or deployment and bottom of the dashboard you will find panel named 

Count of Skipped Reports by Name and Reason

0 Karma

Glasses2
Communicator

Thank you, I am aware of that modal in MC but it gives me the same arcane name


for example 
>>> _ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_"


However, the origin host is my dedicated MC splunk server and there is only 1 accelerate report icon listed for >License Usage Data Cube, so I assume that is the culprit.   

But why is it skipping?  I clicked the accelerate option, perhaps I need to adjust the max scheduled searches?

Yes I found a number of garbage scheduled reports from years ago eating up resources and starving the accelerated report for the License Usage Data Cube.   I incorrectly assumed that report would have priority to resources.

Thank you for your help.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this is either DM acceleration or Report acceleration.  

_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_

Shows that it is under search & report app, it's owned by nobody. 

123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.

r. Ismo

Glasses2
Communicator

@isoutamo 

Yes you are correct.  The acceleration detail has an Summary Id , which does correspond to the savedsearch_name 

_ACCELERATE_<redacted>_search_nobody_<Summary Id>_ACCELERATE_

This confirms the issue is the License Usage Data Cube  cube report/acceleration.

I will need to adjust the search resources to prevent the skipping.

Thank you!!!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...