Splunk Search

How to identify a skipped scheduled accelerated report ?

Glasses2
Communicator

I have noticed that a saved search is chronically skipped, almost 100% but I cannot trace it back to the origin.
The search name is >>> _ACCELERATE_<redacted>_search_nobody_<redacted>_ACCELERATE_

From _internal its in search app, report acceleration, and user nobody.  _Audit provides no clues either.

How do I trace this to the source?

Thank you

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

this is either DM acceleration or Report acceleration.  

_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_

Shows that it is under search & report app, it's owned by nobody. 

123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.

r. Ismo

View solution in original post

SanjayReddy
SplunkTrust
SplunkTrust

Hi @Glasses2 

you can look for skipped searches in moniotoring console 

Scheduler Activity: Instance or deployment and bottom of the dashboard you will find panel named 

Count of Skipped Reports by Name and Reason

0 Karma

Glasses2
Communicator

Thank you, I am aware of that modal in MC but it gives me the same arcane name


for example 
>>> _ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_"


However, the origin host is my dedicated MC splunk server and there is only 1 accelerate report icon listed for >License Usage Data Cube, so I assume that is the culprit.   

But why is it skipping?  I clicked the accelerate option, perhaps I need to adjust the max scheduled searches?

Yes I found a number of garbage scheduled reports from years ago eating up resources and starving the accelerated report for the License Usage Data Cube.   I incorrectly assumed that report would have priority to resources.

Thank you for your help.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this is either DM acceleration or Report acceleration.  

_ACCELERATE_111111-22222-333-4444-123456789_search_nobody_123456978_ACCELERATE_

Shows that it is under search & report app, it's owned by nobody. 

123456978 is quite probably reports acceleration Summary ID. You could check this e.g from Settings -> Searches, Reports, and Alerts. Then just click one by one those reports which are accelerated and click that thunder mark. It opens a new screen where this Summary ID is. Probably there is at least REST query which you can also use.

r. Ismo

Glasses2
Communicator

@isoutamo 

Yes you are correct.  The acceleration detail has an Summary Id , which does correspond to the savedsearch_name 

_ACCELERATE_<redacted>_search_nobody_<Summary Id>_ACCELERATE_

This confirms the issue is the License Usage Data Cube  cube report/acceleration.

I will need to adjust the search resources to prevent the skipping.

Thank you!!!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...