Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify accelerated saved searches that are rarely or never invoked?

Ricapar
Communicator
‎12-07-2016 08:01 AM

Over the years we've allowed a lot of users to create and save their own searches, as well as allowing them to enable search acceleration on those searches.

All of those saved and accelerated searches are now starting to make an impact on performance.

I'd like to identify saved searches that have search acceleration turned on, but the searches are never or rarely invoked, and/or the acceleration summary is never used.

Any suggestions on how to approach this?

Reply

Flynt
Splunk Employee
Splunk Employee
‎12-07-2016 11:18 AM

You might be able to use |rest to accomplish this. Something like 

index=_audit action=search [|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title|rename title as query]

Note that you'll need to have admin access to do this.

A quick explanation -

index=_audit action=search

will show you what searches have been called.

|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title|rename title as query

Check the saved searches endpoint for all users and all apps (- is wildcard in the API). Get only those that are accelerated (auto_summarize=1) and return just the title to the subquery.

This is how I check on my own instance anyway. You can do your stats or whatever from here, including finding out what users use them more often, etc. If you want to find which ones are not invoked you can join left with the list of summarized searches.

I do it this way -

|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title |join type=left title [search index=_audit action=search [|rest /servicesNS/-/-/saved/searches|where auto_summarize=1 |table title|rename title as query]|rex field=search ".*savedsearch(?<title>[^']+)"|eval title=trim(title)|stats count by title]

** Make sure you set your timepicker to a reasonable value (IE don't do it over ALL TIME)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...