Hi splunk professionals,
I have 1 Indexer, 2 search head.
From search head, I am having the strange situation that the following search has been never started when the option value of appendcols is set unlimited. Also the search job status is "parsing" eternally.
index=proxy sourcetype=proxy status=200 earleist=1524409200 latest=1524495599
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/23" by time1
| appendcols maxtime=0 maxout=0 [search index=proxy sourcetype=proxy status=200 earleist=1524495600 latest=1524581999
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/24" by time1 ]
Additionally, I set 720 for the maxtime values in limits.conf.
Is it possible to set an unlimited value for "appendcols"?
Or should I make maxtime values disable in limits.conf
Actually, this search is really slow even if I do not set unlimited values for option.
Any opinion will be appreciated.
Regards,
You are over-complicating it; just avoid the whole mess; run this for the last 2 days:
index=proxy sourcetype=proxy status=200
| timechart span=1h count
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%m/%d/%Y")
| chart limit=0 avg(count) BY day hour
You might have to add a reverse
along with a tail 2
or a head 2
depending on how things end up.
Thanks for your great advice and your recommended SPL.
It was better than before, although it is necessary to take time to get search results.
I'm checking disk I/O info and another server problems.
After investigating, I will check search performance again.
Thank a lot.
If any answer got you what you need, do click Accept
to close it.
What time you are selecting on time picker?