All Apps and Add-ons

User report acceleration in Sideviews

Builder

I have a report acceleration on :

... | timchart span=1s c by index,sourcetype

I would like to use it to make a report with following elements :
- timechart as is, but only over the current day
- | stats sum(c) for the current day

if I use a hiddensavedsearch, I guess I would load all the results and not only those from the current day...
If I put a timepicker in front of it, I get an error.

SplunkTrust
SplunkTrust

I think maybe you're mixing up Report Acceleration with Scheduling Saved Searches?

When you put a TimeRangePicker upstream from a HiddenSavedSearch or SavedSearch module, and you leave the latter's "useHistory" param set to the default value of "auto", this creates a contradiction so a red error message appears in the UI. The red error message is basically telling you that you can either use the scheduled results and that timerange (which you're saying with useHistory="auto"), or you can let the user specify a timerange with the pulldown (which you're saying by having a TimeRangePicker there), but you can't have both.

I think the answer is to set

<param name="useHistory">False</param>

This will basically cause an ad-hoc search to be dispatched, there will be no ambiguity as to what timerange to use so it will use the TimeRangePicker, and since this is an accelerated report, it'll just run fast....

0 Karma

SplunkTrust
SplunkTrust

I believe that's correct. every search that has the same search language will get accelerated.

As to setting useHistory to True and getting an error that no job was found - assuming there really is no job for that saved search, this is a configuration error. Setting useHistory to True, you are promising the module that there will be a job.

As to the other problem, about TimeRangePicker and SavedSearch with useHistory=True, there are a lot of other questions and answers on this topic. https://www.google.com/search?q=TimeRangePicker+HiddenSavedSearch+Configuration+Error

0 Karma

Builder

Actually I wanted to know how to use report acceleration, but I just learn, that every search that is matching the hash from a report acceleration, will be accelerate, is that correct ?

With useHistory, I had an issue with sideview and I opened a bug by Splunk
CASE [133376] : useHistory set to True, but no job was found for
I don't know if your able to see those tickets ? If I understand you answer, it could be that hiddensavesearch doesn't work because of the timestamp ?

0 Karma

SplunkTrust
SplunkTrust

On top of the prettiness of the display, timechart will not produce 86400 buckets in the first place:

! The specified span would result in too many (>50000) rows.
0 Karma

Builder

Thats not really the issue here... I want to know how to use report acceleration, how nice the display is, is not that important, I can handle this later

0 Karma

SplunkTrust
SplunkTrust

Charting an entire day in one-second resolution would give you 86400 buckets, way more than what you can reasonably display.

0 Karma