Deployment Architecture

Command "appendcols" has never started searching when i set its unlimited option.

Path Finder

Hi splunk professionals,

I have 1 Indexer, 2 search head.
From search head, I am having the strange situation that the following search has been never started when the option value of appendcols is set unlimited. Also the search job status is "parsing" eternally.

index=proxy sourcetype=proxy status=200 earleist=1524409200 latest=1524495599
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/23" by time1
| appendcols maxtime=0 maxout=0 [search index=proxy sourcetype=proxy status=200 earleist=1524495600 latest=1524581999
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/24" by time1 ]

Additionally, I set 720 for the maxtime values in limits.conf.

Is it possible to set an unlimited value for "appendcols"?
Or should I make maxtime values disable in limits.conf

Actually, this search is really slow even if I do not set unlimited values for option.
Any opinion will be appreciated.


0 Karma

Esteemed Legend

You are over-complicating it; just avoid the whole mess; run this for the last 2 days:

index=proxy sourcetype=proxy status=200
| timechart span=1h count
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%m/%d/%Y")
| chart limit=0 avg(count) BY day hour

You might have to add a reverse along with a tail 2 or a head 2 depending on how things end up.

Path Finder

Thanks for your great advice and your recommended SPL.

It was better than before, although it is necessary to take time to get search results.
I'm checking disk I/O info and another server problems.
After investigating, I will check search performance again.

Thank a lot.

0 Karma

Esteemed Legend

If any answer got you what you need, do click Accept to close it.

0 Karma


What time you are selecting on time picker?

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...