Archive
Highlighted

Is the search with eval with match in case statement elegible to report acceleration?

Engager

Hello everyone!!!

This is a search that I was used to setting up a report with acceleration. But in the Report Acceleration Summaries appear as 0% Complete since yesterday. I don't know if this search is elegible to report acceleration? Also any suggestions to speed up the search will be welcome.

Thanks in advance.

sourcetype=f5logs  | eval page_type = case(match(http_uri,"html"),"PDP", match(http_uri,"\/l\/"),"PLP", match(http_uri,"\/api\/(?!user)"),"All API", match(http_uri,"\/api\/user(?!\/placeOrder)"),"User API", match(http_uri,"\/g\/"),"GLP", match(http_uri,"\/c\/"),"Category", match(http_uri,"\.gif|\.jpg|\.js|\.css"),"Assets", match(http_uri,"/api\/user\/placeOrder"),"PlaceOrder", match(http_uri_query,"searchinfo"),"Search", match(http_uri,"\/searchsite\/default\.aspx|\/catalog\.tpl|\^/$$") AND match(http_uri_query,"^((?!searchinfo).)*$$"), "Home", match(http_uri,"^((?!html|\/l\/|\/api\/|\/g\/|\/searchsite\/default\.aspx|/catalog\.tpl|\^/$$|\/g\/|\/c\/|\.gif|\.jpg|\.js|\.css).)*$$") AND match(http_uri_query,"^((?!searchinfo).)*$$"),"Others") | stats count by page_type

alt text

Tags (1)
0 Karma

Re: Is the search with eval with match in case statement elegible to report acceleration?

SplunkTrust
SplunkTrust

eval and match are no problem here, that doesn't stop a search from being accelerate-able.

Looking at your summarization load of basically 1, it appears there has been a summarization search running since you enabled the summary... give it time if you have a huge amount of data in that sourcetype.

0 Karma
Highlighted

Re: Is the search with eval with match in case statement elegible to report acceleration?

Engager

Thanks Martin for clarifying.

I found the problem. !!!
The problem is with regular expression, substituting double $$ with single $ the report accelartion started to work.

Thanks for your help.

View solution in original post

0 Karma