topic Re: Accelerating report that uses bucket _time in Splunk Search

Accelerating report that uses bucket _time

jpillai — Fri, 07 Jun 2024 16:43:13 GMT

Hi All,

I have a report running every 6 hour with below search query. This is fetching hourly availability of haproxy backends based on http response code as shown below.

I need to accelerate this report, but I think the bucket section of the search is disqualifying this for report acceleration. Can someone help with modifying this search so that it can be accelerated or are there any other work arounds to do this to get the exact same table as shown?

index=haproxy (backend="backend1" OR backend="backend2") | bucket _time span=1h | eval result=if(status >= 500, "Failure", "Success") | stats count(result) as totalcount, count(eval(result="Success")) as success, count(eval(result="Failure")) as failure by backend, _time | eval availability=tostring(round((success/totalcount)*100,3)) + "%" | fields _time, backend, success, failure, totalcount, availability

_time backend success failure totalcount availability

2024-06-07 04:00	backend1	28666	28666	100.000%
2024-06-07 05:00	backend1	28666	28666	100.000%
2024-06-07 06:00	backend1	28712	28712	100.000%
2024-06-07 07:00	backend1	28697	28697	100.000%
2024-06-07 08:00	backend1	28678	28678	100.000%
2024-06-07 09:00	backend1	28714	28714	100.000%
2024-06-07 04:00	backend2	618	618	100.000%
2024-06-07 05:00	backend2	179	179	100.000%
2024-06-07 06:00	backend2	555	555	100.000%
2024-06-07 07:00	backend2	103	103	100.000%
2024-06-07 08:00	backend2	1039	1039	100.000%

Re: Accelerating report that uses bucket _time

tscroggins — Sat, 08 Jun 2024 15:16:20 GMT

Hi @jpillai,

It should work as written, although you don't need the extra fields command.

What process did you use to accelerate the report? If you used Splunk Web, were any errors reported by the user interface?

Re: Accelerating report that uses bucket _time

PickleRick — Sat, 08 Jun 2024 20:35:53 GMT

It seems perfectly acceleratable. The bin command is a streaming one so the requirements for only streaming commands before first transforming command is fulfilled.

You could try to use summary indexing here though instead of report acceleration - this would give you more flexibility in using the summarized data later should you need to reference it in other searches.

Re: Accelerating report that uses bucket _time

jpillai — Sun, 09 Jun 2024 09:35:34 GMT

Splunk says "This search cannot be accelerated" when I go to enable acceleration for the report and hit save,

Re: Accelerating report that uses bucket _time

jpillai — Sun, 09 Jun 2024 09:37:54 GMT

I used splunk web interface, went to reports > edit acceleration for the specific report > clicked save and it says "This search cannot be accelerated". Please find screenshot in the other reply.

Re: Accelerating report that uses bucket _time

PickleRick — Sun, 09 Jun 2024 17:49:19 GMT

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#Restrictions_on_report_acceleration

Since the search itself qualifies for acceleration, most probably your user role either lacks capabilities to enable accelerations or write permissions for the report.

Re: Accelerating report that uses bucket _time

jpillai — Mon, 10 Jun 2024 09:52:20 GMT

Im afraid this is not the the case. I have admin role and I have enabled acceleration for other reports before. Please also note that the error is "*This search* can not be accelerated" as mentioned in above replies.

Re: Accelerating report that uses bucket _time

jpillai — Mon, 10 Jun 2024 10:11:25 GMT

Oh wait. I missed to include one last update that was added to the search which is search time window in the search itself. The search uses time window (earliest=@h-6h latest=@h) as shown below. When I removed this, I found that it is possible to set acceleration. Is this a known limitation?

index=haproxy (backend="backend1" OR backend="backend2") earliest=@h-6h latest=@h | bucket _time span=1h | eval result=if(status >= 500, "Failure", "Success") | stats count(result) as totalcount, count(eval(result="Success")) as success, count(eval(result="Failure")) as failure by backend, _time | eval availability=tostring(round((success/totalcount)*100,3)) + "%" | fields _time, backend, success, failure, totalcount, availability

Re: Accelerating report that uses bucket _time

jpillai — Mon, 10 Jun 2024 10:11:45 GMT

Re: Accelerating report that uses bucket _time

PickleRick — Mon, 10 Jun 2024 11:47:43 GMT

I suppose one can argue that it falls under the "cannot use sampling" restriction but I agree that it could be more explicitly worded.

There is a feedback form at the end of the docs page. You're more than welcome to send feedback about this missing info. They do read it and react!