Splunk Search

[Report Acceleration] Can we benefit from the accelerated summary outside the app?

sylim_splunk
Splunk Employee
Splunk Employee

If a report is accelerated in the search app, are the other apps supposed to benefit from its acceleration? The report is shared with all app and the search app is exported to global. The reason is that I am getting the opposite behavior.

Test1. I run the saved search in the search app context, it look up the accelerated data and returns results fast.

Test2. I run the saved search in the exchange app and it is not accelerated. I am re-running the report acceleration on the app context I need, but found this behavior odd. Seems like the local.meta permissions are valid for the report share but not the summarization created by the report accel option.

So the question is... is a report is accelerated and shared, can other apps take advantage of the accelerated report?

Labels (1)
Tags (1)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

 Your use case is not supported. It is scoped by app and will not work outside the app context.  This is by design.

In search log if it will fail to find summary id with the log..

07-22-2020 22:19:07.250 INFO dispatchRunner - search context: user="admin", app="exchange app", bs-pathname="/opt/splunk/etc"
07-22-2020 22:19:07.399 INFO DispatchThread - Did not find a usable summary_id, setting info._summary_mode=none, not modifying input summary_id=...

 

 

View solution in original post

Tags (1)

sylim_splunk
Splunk Employee
Splunk Employee

 Your use case is not supported. It is scoped by app and will not work outside the app context.  This is by design.

In search log if it will fail to find summary id with the log..

07-22-2020 22:19:07.250 INFO dispatchRunner - search context: user="admin", app="exchange app", bs-pathname="/opt/splunk/etc"
07-22-2020 22:19:07.399 INFO DispatchThread - Did not find a usable summary_id, setting info._summary_mode=none, not modifying input summary_id=...

 

 

Tags (1)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...