- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Command "appendcols" has never started searchi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Command "appendcols" has never started searching when i set its unlimited option.
Hi splunk professionals,
I have 1 Indexer, 2 search head.
From search head, I am having the strange situation that the following search has been never started when the option value of appendcols is set unlimited. Also the search job status is "parsing" eternally.
index=proxy sourcetype=proxy status=200 earleist=1524409200 latest=1524495599
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/23" by time1
| appendcols maxtime=0 maxout=0 [search index=proxy sourcetype=proxy status=200 earleist=1524495600 latest=1524581999
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/24" by time1 ]
Additionally, I set 720 for the maxtime values in limits.conf.
Is it possible to set an unlimited value for "appendcols"?
Or should I make maxtime values disable in limits.conf
Actually, this search is really slow even if I do not set unlimited values for option.
Any opinion will be appreciated.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are over-complicating it; just avoid the whole mess; run this for the last 2 days:
index=proxy sourcetype=proxy status=200
| timechart span=1h count
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%m/%d/%Y")
| chart limit=0 avg(count) BY day hour
You might have to add a reverse along with a tail 2 or a head 2 depending on how things end up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your great advice and your recommended SPL.
It was better than before, although it is necessary to take time to get search results.
I'm checking disk I/O info and another server problems.
After investigating, I will check search performance again.
Thank a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If any answer got you what you need, do click Accept to close it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What time you are selecting on time picker?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
