Skip to content

Commit 047ccf3

Browse files
gjandersgjanders
authored
Update savedsearches.conf
1 parent 86ec4f5 commit 047ccf3

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

default/savedsearches.conf

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7593,7 +7593,7 @@ disabled = 1
75937593
action.email.useNSSubject = 1
75947594
alert.track = 0
75957595
cron_schedule = 38 * * * *
7596-
description = Report only? Yes. As found on Clara-Fication: Finding and Improving Expensive Searches, https://conf.splunk.com/files/2022/slides/PLA1162B.pdf / https://conf.splunk.com/files/2022/recordings/PLA1162B_1080.mp4. Run on the search head with the DMA
7596+
description = Report only? Yes. As found on Clara-Fication: Finding and Improving Expensive Searches, https://conf.splunk.com/files/2022/slides/PLA1162B.pdf / https://conf.splunk.com/files/2022/recordings/PLA1162B_1080.mp4. Run on the search head with the DMA. Also refer to SearchHeadLevel - Datamodel access summary for a more detailed view.
75977597
dispatch.earliest_time = -65m@m
75987598
dispatch.latest_time = -5m@m
75997599
display.events.fields = ["index","sourcetype","host"]
@@ -8787,7 +8787,7 @@ search = | rest /servicesNS/-/-/saved/searches count=0 search="disabled=0" searc
87878787
action.email.useNSSubject = 1
87888788
alert.track = 0
87898789
cron_schedule = 38 * * * *
8790-
description = Report only? Yes. This report is based on the query in Splunk community slack provided by Ismo Soutamo. This query returns a summary of datamodels, acceleration status and if accelerated, access count and time.
8790+
description = Report only? Yes. This report is based on the query in Splunk community slack provided by Ismo Soutamo. This query returns a summary of datamodels, acceleration status and if accelerated, access count and time. Similar to SearchHeadLevel - Accelerated DataModels Access Info. Run on the search head with DMA enabled.
87918791
dispatch.earliest_time = -65m@m
87928792
dispatch.latest_time = -5m@m
87938793
display.events.fields = ["index","sourcetype","host"]
@@ -8800,12 +8800,12 @@ search = | rest splunk_server=local timeout=60 /servicesNS/-/-/datamodel/model
88008800
| search acceleration = "*true*" \
88018801
| eval DM="tstats:DM_" . 'eai:acl.app' . "_" . title \
88028802
| join DM type=outer \
8803-
[| rest splunk_server=local timeout=60 /servicesNS/-/-/admin/summarization by_tstats=1 f=summary.access_count f=summary.access_time \
8803+
[| rest splunk_server=local timeout=60 /servicesNS/-/-/admin/summarization by_tstats=1 f=summary.access_count f=summary.access_time f=summary.size \
88048804
| search summary.access_count > 0 \
8805-
| table title summary.access_count summary.access_time \
8805+
| table title summary.access_count summary.access_time summary.size \
88068806
| rename title as DM] \
88078807
| spath input=acceleration \
88088808
| rename eai:acl.* -> *\
88098809
| rename enabled AS acceleration_enabled\
8810-
| table title author app summary.access_count summary.access_time perms.read sharing updated acceleration_enabled earliest_time, cron_schedule, max_time, backfill_time, max_concurrent, allow_skew, allow_old_summaries\
8810+
| table title author app summary.access_count summary.access_time summary.size perms.read sharing updated acceleration_enabled earliest_time, cron_schedule, max_time, backfill_time, max_concurrent, allow_skew, allow_old_summaries\
88118811
| eval summary.access_time=strftime('summary.access_time', "%+")

0 commit comments

Comments
 (0)