All Apps and Add-ons

User report acceleration in Sideviews

sbsbb
Builder

I have a report acceleration on :

... | timchart span=1s c by index,sourcetype

I would like to use it to make a report with following elements :
- timechart as is, but only over the current day
- | stats sum(c) for the current day

if I use a hiddensavedsearch, I guess I would load all the results and not only those from the current day...
If I put a timepicker in front of it, I get an error.

sideview
SplunkTrust
SplunkTrust

I think maybe you're mixing up Report Acceleration with Scheduling Saved Searches?

When you put a TimeRangePicker upstream from a HiddenSavedSearch or SavedSearch module, and you leave the latter's "useHistory" param set to the default value of "auto", this creates a contradiction so a red error message appears in the UI. The red error message is basically telling you that you can either use the scheduled results and that timerange (which you're saying with useHistory="auto"), or you can let the user specify a timerange with the pulldown (which you're saying by having a TimeRangePicker there), but you can't have both.

I think the answer is to set

<param name="useHistory">False</param>

This will basically cause an ad-hoc search to be dispatched, there will be no ambiguity as to what timerange to use so it will use the TimeRangePicker, and since this is an accelerated report, it'll just run fast....

0 Karma

sideview
SplunkTrust
SplunkTrust

I believe that's correct. every search that has the same search language will get accelerated.

As to setting useHistory to True and getting an error that no job was found - assuming there really is no job for that saved search, this is a configuration error. Setting useHistory to True, you are promising the module that there will be a job.

As to the other problem, about TimeRangePicker and SavedSearch with useHistory=True, there are a lot of other questions and answers on this topic. https://www.google.com/search?q=TimeRangePicker+HiddenSavedSearch+Configuration+Error

0 Karma

sbsbb
Builder

Actually I wanted to know how to use report acceleration, but I just learn, that every search that is matching the hash from a report acceleration, will be accelerate, is that correct ?

With useHistory, I had an issue with sideview and I opened a bug by Splunk
CASE [133376] : useHistory set to True, but no job was found for
I don't know if your able to see those tickets ? If I understand you answer, it could be that hiddensavesearch doesn't work because of the timestamp ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

On top of the prettiness of the display, timechart will not produce 86400 buckets in the first place:

! The specified span would result in too many (>50000) rows.
0 Karma

sbsbb
Builder

Thats not really the issue here... I want to know how to use report acceleration, how nice the display is, is not that important, I can handle this later

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Charting an entire day in one-second resolution would give you 86400 buckets, way more than what you can reasonably display.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...