topic Report Acceleration Summaries always stay 0% in Reporting

Report Acceleration Summaries always stay 0%

chengyu — Tue, 06 May 2014 15:10:59 GMT

Hi, i use Report Acceleration Summaries hope improve search speed. But always stay 0%, i search document seem not use "＊", i try delete dstip != 123.＊.＊.＊, but status the same. How should i do?

my search:

index=fg-1000c srcip !=1.1.1.1 dstip != 123.＊.＊.＊  
| fillnull value=SSL attack
|  eval bandwidth=rcvdbyte+sentbyte 
| eval bandwidth(MB) = round(bandwidth/1024/1024,2) 
| strcat " " time " " as Date | eval n = coalesce(hostname, host_name) |strcat " " n url " " as weburl 
| stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(attack) as app last(Date) as FirstDate first(Date) as LastDate values(weburl) as weburl by dstip 
| table srcip,dstip,app,FirstDate,LastDate,bandwidth(MB),weburl 
| sort bandwidth(MB) desc

Re: Report Acceleration Summaries always stay 0%

lguinn2 — Wed, 07 May 2014 01:46:37 GMT

I actually don't see how this search works at all...

Try this:

index=fg-1000c srcip !=1.1.1.1 dstip != 123.＊.＊.＊  
| fillnull value="SSL" attack
| eval bandwidth=rcvdbyte+sentbyte 
| eval bandwidthMB = round(bandwidth/1024/1024,2) 
| strcat " " time " " as Date 
| eval n = coalesce(hostname, host_name) 
| strcat " " n url " " as weburl 
| stats sum(bandwidthMB) as bandwidthMB values(srcip) as srcip values(attack) as app earliest(Date) as FirstDate latest(Date) as LastDate values(weburl) as weburl by dstip 
| table srcip, dstip, app, FirstDate, LastDate, bandwidthMB, weburl 
| sort bandwidthMB desc

Also, realize that Splunk will not accelerate searches if there is insufficient data to justify the cost of acceleration.

Searches that contain "not equals" will generally be slower than searches that use "equals". You are effectively asking Splunk to serially search every bucket in the time range of the search.

Re: Report Acceleration Summaries always stay 0%

chengyu — Fri, 09 May 2014 03:34:28 GMT

Hi, i search splunk document i find can't use command table must use chart, timechart, stats, and top...

ＨＴＴＰ://docs.splunk.com/Documentation/Splunk/5.0.8/Knowledge/Manageacceleratedsearchsummaries

I'm modify search, but always stay 0%...

index=xxx

| fillnull value="SSL" attack
| eval bandwidth=rcvdbyte+sentbyte
| eval bandwidthMB = round(bandwidth/1024/1024,2)
| strcat " " time " " as Date
| eval n = coalesce(hostname, host_name)
| strcat " " n url " " as weburl
| stats sum(bandwidthMB) as bandwidthMB values(srcip) as srcip values(attack) as app earliest(Date) as FirstDate latest(Date) as LastDate values(weburl) as weburl by dstip