- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin.
The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_
From _internal its in search app, report acceleration, and user nobody. _Audit provides no clues either.
How do I trace this to the source?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
this is either DM acceleration or Report acceleration.
_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_
Shows that it is under search & report app, it's owned by nobody.
123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Glasses2
you can look for skipped searches in moniotoring console
Scheduler Activity: Instance or deployment and bottom of the dashboard you will find panel named
Count of Skipped Reports by Name and Reason
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I am aware of that modal in MC but it gives me the same arcane name
for example
>>> _ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_"
However, the origin host is my dedicated MC splunk server and there is only 1 accelerate report icon listed for >License Usage Data Cube, so I assume that is the culprit.
But why is it skipping? I clicked the accelerate option, perhaps I need to adjust the max scheduled searches?
Yes I found a number of garbage scheduled reports from years ago eating up resources and starving the accelerated report for the License Usage Data Cube. I incorrectly assumed that report would have priority to resources.
Thank you for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
this is either DM acceleration or Report acceleration.
_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_
Shows that it is under search & report app, it's owned by nobody.
123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@isoutamo
Yes you are correct. The acceleration detail has an Summary Id , which does correspond to the savedsearch_name
_ACCELERATE_<redacted>_search_nobody_<Summary Id>_ACCELERATE_
This confirms the issue is the License Usage Data Cube cube report/acceleration.
I will need to adjust the search resources to prevent the skipping.
Thank you!!!
