Update savedsearches.conf

default/savedsearches.conf

@@ -8782,3 +8782,30 @@ request.ui_dispatch_view = search
 search = | rest /servicesNS/-/-/saved/searches count=0 search="disabled=0" search="is_scheduled=1" f=next_scheduled_time `splunkadmins_restmacro` f=title f=eai:* \
 | search next_scheduled_time="" \
 | table author, eai:acl.app, , title, next_scheduled_time 
+
+[SearchHeadLevel - Datamodel access summary]
+action.email.useNSSubject = 1
+alert.track = 0
+cron_schedule = 38 * * * *
+description = Report only? Yes. This report is based on the query in Splunk community slack provided by Ismo Soutamo. This query returns a summary of datamodels, acceleration status and if accelerated, access count and time.
+dispatch.earliest_time = -65m@m
+dispatch.latest_time = -5m@m
+display.events.fields = ["index","sourcetype","host"]
+display.general.type = statistics
+enableSched = 0
+request.ui_dispatch_app = SplunkAdmins
+request.ui_dispatch_view = search
+search =  | rest splunk_server=local timeout=60 /servicesNS/-/-/datamodel/model f=eai:* f=acceleration f=displayName \
+| fields title displayName author eai:acl.app eai:appName eai:acl.perms.read eai:acl.sharing splunk_server acceleration updated \
+| search acceleration = "*true*" \
+| eval DM="tstats:DM_" . 'eai:acl.app' . "_" . title \
+| join DM type=outer \
+    [| rest splunk_server=local timeout=60 /servicesNS/-/-/admin/summarization by_tstats=1 f=summary.access_count f=summary.access_time \
+    | search summary.access_count > 0 \
+    | table title summary.access_count summary.access_time \
+    | rename title as DM] \
+| spath input=acceleration \
+| rename eai:acl.* -> *\
+| rename enabled AS acceleration_enabled\
+| table title author app summary.access_count summary.access_time perms.read sharing updated acceleration_enabled earliest_time, cron_schedule, max_time, backfill_time, max_concurrent, allow_skew, allow_old_summaries\
+| eval summary.access_time=strftime('summary.access_time', "%+")