Splunk Search

Why I am unable to accelerate this report?

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I'm trying to get to grips with 'Report Acceleration' and I've managed to create one, but I think this was more luck than knowledge.

I'm trying to accelerate the report below, but for some reason, Splunk tells me that it's unable to do so.

 index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  | eval shortForm='detail.formId'."  " | eval shortForm =  substr(shortForm, 1, 6) | sort 0  detail.messageId  | stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

I've been reading through the documentation and through a tutorial in a book I have (Splunk Operational Intelligence Cookbook), and I think I have the correct streaming and transforming commands in place, so I'm unsure why this is failing.

Could someone perhaps tell me please why I'm unable to accelerate this report?

Many thanks and kind regards

Chris

1 Solution

lguinn2
Legend

I believe that the reason this won't accelerate is because you used the sort command (which is not distributable or streaming). But you didn't need sort anyway. I have simplified your search, but it should give the same result:

index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  
| eval shortForm='detail.formId'."  " 
| eval shortForm =  substr(shortForm, 1, 6) 
| stats first(shortForm) as shortForm by "detail.messageId" 
| chart count by shortForm  
| eval pieSlice=shortForm  + " " + count  
| fields pieSlice, count

Look here for more information on which commands are streaming commands.

View solution in original post

lguinn2
Legend

I believe that the reason this won't accelerate is because you used the sort command (which is not distributable or streaming). But you didn't need sort anyway. I have simplified your search, but it should give the same result:

index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  
| eval shortForm='detail.formId'."  " 
| eval shortForm =  substr(shortForm, 1, 6) 
| stats first(shortForm) as shortForm by "detail.messageId" 
| chart count by shortForm  
| eval pieSlice=shortForm  + " " + count  
| fields pieSlice, count

Look here for more information on which commands are streaming commands.

IRHM73
Motivator

Hi @Iguinn, thank you for coming back to me with this and for the link.

Many thanks and kind regards

Chris

0 Karma

IRHM73
Motivator

Hi @Iguinn, thank you very much for taking the time to reply to my post and for the help. The query works great.

May I just ask, is there a list anywhere of the 'Streaming Commands' which I could refer to?

Many thanks and kind regards

Chris

0 Karma

lguinn2
Legend

Updated my original answer with a link for you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...