Hi, I wonder whether someone may be able to help me please.
I'm trying to get to grips with 'Report Acceleration' and I've managed to create one, but I think this was more luck than knowledge.
I'm trying to accelerate the report below, but for some reason, Splunk tells me that it's unable to do so.
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
I've been reading through the documentation and through a tutorial in a book I have (Splunk Operational Intelligence Cookbook), and I think I have the correct streaming and transforming commands in place, so I'm unsure why this is failing.
Could someone perhaps tell me please why I'm unable to accelerate this report?
Many thanks and kind regards
Chris
I believe that the reason this won't accelerate is because you used the sort
command (which is not distributable or streaming). But you didn't need sort
anyway. I have simplified your search, but it should give the same result:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| stats first(shortForm) as shortForm by "detail.messageId"
| chart count by shortForm
| eval pieSlice=shortForm + " " + count
| fields pieSlice, count
Look here for more information on which commands are streaming commands.
I believe that the reason this won't accelerate is because you used the sort
command (which is not distributable or streaming). But you didn't need sort
anyway. I have simplified your search, but it should give the same result:
index= main tags.transactionName = "Send Email Alert" auditType="TxSucceeded"
| eval shortForm='detail.formId'." "
| eval shortForm = substr(shortForm, 1, 6)
| stats first(shortForm) as shortForm by "detail.messageId"
| chart count by shortForm
| eval pieSlice=shortForm + " " + count
| fields pieSlice, count
Look here for more information on which commands are streaming commands.
Hi @Iguinn, thank you for coming back to me with this and for the link.
Many thanks and kind regards
Chris
Hi @Iguinn, thank you very much for taking the time to reply to my post and for the help. The query works great.
May I just ask, is there a list anywhere of the 'Streaming Commands' which I could refer to?
Many thanks and kind regards
Chris
Updated my original answer with a link for you!