- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why I am unable to accelerate this report?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm trying to get to grips with 'Report Acceleration' and I've managed to create one, but I think this was more luck than knowledge.
I'm trying to accelerate the report below, but for some reason, Splunk tells me that it's unable to do so.
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
I've been reading through the documentation and through a tutorial in a book I have (Splunk Operational Intelligence Cookbook), and I think I have the correct streaming and transforming commands in place, so I'm unsure why this is failing.
Could someone perhaps tell me please why I'm unable to accelerate this report?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that the reason this won't accelerate is because you used the sort command (which is not distributable or streaming). But you didn't need sort anyway. I have simplified your search, but it should give the same result:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| stats first(shortForm) as shortForm by "detail.messageId"
| chart count by shortForm
| eval pieSlice=shortForm + " " + count
| fields pieSlice, count
Look here for more information on which commands are streaming commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that the reason this won't accelerate is because you used the sort command (which is not distributable or streaming). But you didn't need sort anyway. I have simplified your search, but it should give the same result:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| stats first(shortForm) as shortForm by "detail.messageId"
| chart count by shortForm
| eval pieSlice=shortForm + " " + count
| fields pieSlice, count
Look here for more information on which commands are streaming commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Iguinn, thank you for coming back to me with this and for the link.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Iguinn, thank you very much for taking the time to reply to my post and for the help. The query works great.
May I just ask, is there a list anywhere of the 'Streaming Commands' which I could refer to?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated my original answer with a link for you!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
