Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Command "appendcols" has never started searching when i set its unlimited option.

Shuhei052492
Path Finder
‎04-24-2018 07:56 PM

Hi splunk professionals,

I have 1 Indexer, 2 search head.
From search head, I am having the strange situation that the following search has been never started when the option value of appendcols is set unlimited. Also the search job status is "parsing" eternally.

index=proxy sourcetype=proxy status=200 earleist=1524409200 latest=1524495599
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/23" by time1
| appendcols maxtime=0 maxout=0 [search index=proxy sourcetype=proxy status=200 earleist=1524495600 latest=1524581999
| eval time1=strftime(_time,"%H")
| chart count(status) AS "2018/apl/24" by time1 ]

Additionally, I set 720 for the maxtime values in limits.conf.

Is it possible to set an unlimited value for "appendcols"?
Or should I make maxtime values disable in limits.conf

Actually, this search is really slow even if I do not set unlimited values for option.
Any opinion will be appreciated.

Regards,

0 Karma
Reply

woodcock
Esteemed Legend
‎04-25-2018 01:30 AM

You are over-complicating it; just avoid the whole mess; run this for the last 2 days:

index=proxy sourcetype=proxy status=200
| timechart span=1h count
| eval hour=strftime(_time, "%H")
| eval day=strftime(_time, "%m/%d/%Y")
| chart limit=0 avg(count) BY day hour

You might have to add a reverse along with a tail 2 or a head 2 depending on how things end up.

Reply

Shuhei052492
Path Finder
‎04-25-2018 06:24 PM

Thanks for your great advice and your recommended SPL.

It was better than before, although it is necessary to take time to get search results.
I'm checking disk I/O info and another server problems.
After investigating, I will check search performance again.

Thank a lot.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-25-2018 08:11 PM

If any answer got you what you need, do click Accept to close it.

0 Karma
Reply

p_gurav
Champion
‎04-25-2018 01:15 AM

What time you are selecting on time picker?

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...