Report scheduling/acceleration question...

a212830 · ‎02-19-2017

Hi,

I need to generate a number of reports about license utilization for different customers, over the past 30 days. Do I need to re-run the past 30 days search every day, or is there a way to run it for one day, and have a history that keeps building? Running it every day for 30 days seems like a waste of resources...

martin_mueller · ‎02-19-2017

You could enable report acceleration for your report to avoid re-running over old days again and again.
You could use the existing license usage data model or a custom one, accelerate that, and build your 30-day reports off that accelerated data model.
You could run a summary search every day to build the report for yesterday, and run your 30-day reports off that summary index.

martin_mueller · ‎02-19-2017

The first one is the easiest to build - save the report with a time range of 30 days, check the "accelerate" box, select 30 days, save, done. Splunk does the rest underneath.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Report/Acceleratereports

kiril123 · ‎09-25-2017

Do you need to schedule report as well?

leonphelps_s · ‎02-26-2018

No, its like a rolling 30 day window.

a212830 · ‎02-19-2017

For the first one, how does that work in practice? I want to report on 30 days, but not have my search query the past 30 days every time.

Report scheduling/acceleration question...

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?