Splunk Dev

Can you help me accelerate a dataset that has streaming commands?

xanthakita
Path Finder

I am trying to accelerate a dataset I created.. and it tells me I can’t because it has streaming commands.
I’m not sure if there is some better way to accelerate this dataset so its faster for general searches.

Here is the query that builds the dataset:

index=netcool_noi_1 sourcetype=netcool:policylogger netcool_serial=*
| eval unassigned="FALSE"
| eval enriched="FALSE"
| eval correlated="FALSE"
| search reporting_results=*
| rex field=reporting_results "NODE:\s+(?\S+)\s+"
| rex field=_raw "SERVER_SERIAL\:\s+(?\d+)"
| rex field=_raw "REPORTING RESULTS: ENRICHED WITH PARENT CIRCUIT ID FROM PLUCK:\s+(?\S+\s+\S+\s+\S+)\s+"
| rex field=_raw "REPORTING RESULTS: ENRICHED WITH CIRCUIT ID FROM RESOLVE MSS DATA FOR NODE:.*CIRCUIT ID:\s+(?.*)\s+RATE\s+"
| rex field=_raw "REPORTING RESULTS: (?\S+)\s+"
| eval enriched=if(in("ENRICHED", testfield), "TRUE", enriched)
| eval unassigned=if(like(reporting_results,"%UNASSIGNED%"), "TRUE", "FALSE")
| eval correlated=if(in("CORRELATED", testfield), "TRUE", correlated)
| transaction netcool_serial maxevents=7 keeporphans=1 keepevicted=1 mvlist=(enriched, correlated, unassigned)
| eval unassigned=if(in("TRUE", unassigned), "TRUE", "FALSE")
| eval enriched=if(((in("TRUE", enriched) OR (len(parentCircuitId)>=0)) AND (unassigned="FALSE")), "TRUE", "FALSE")
| eval correlated=if(in("TRUE", correlated), "TRUE", "FALSE")
| eval parentfound=if(len(parentCircuitId)>=0, "TRUE", "FALSE")

Any suggestions?

0 Karma

xanthakita
Path Finder

thank you @mstjohn_splunk for putting my code into a code block. I intended to do that and got drug away to another emergency. Now if someone jsut has some insight on a better way to build this dataset so it can be accelerated

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...