Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Acceleration grayed out

jairjr
Path Finder
‎04-24-2017 09:15 PM

Any idea why I can't enable acceleration for this simple transformation:

sourcetype=iis tag::host="aDC" OR tag::host="bDC" OR tag::host="cDC" | timechart count by tag::host

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jairjr
Path Finder
‎04-26-2017 11:31 AM

This worked:
sourcetype=iis | eval hosttag = if("tag::host" == "c" OR "tag::host" == "b" OR "tag::host" == "c", "tag::host", null()) | timechart count by tag::host

if I try "| timechart count by hosttag" I get a count named NULL instead.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jairjr
Path Finder
‎04-26-2017 11:31 AM

This worked:
sourcetype=iis | eval hosttag = if("tag::host" == "c" OR "tag::host" == "b" OR "tag::host" == "c", "tag::host", null()) | timechart count by tag::host

if I try "| timechart count by hosttag" I get a count named NULL instead.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-26-2017 01:55 PM

In an eval command, the single quotes are used to enclose field names that have special characters on the right side of the equals sign (=).

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-25-2017 06:02 PM

I'm curious what happens if you try this:

sourcetype=iis 
| eval hosttag=if('tag::host'=="aDC" OR 'tag::host'=="bDC" OR 'tag::host'=="cDC"),'tag::host',null())
| timechart count by hosttag

I don't know if the single quotes around tag::host are needed or if this will even work at all. Just curious.

Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-26-2017 09:33 AM

The single quotes are needed, and I was able to enable acceleration just fine, thank you. Can you let me know why this way worked?

0 Karma
Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-26-2017 09:41 AM

But interesting, that way the hosttag var is not populated.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-26-2017 10:28 AM

Did it work or not?

If not, can you show me what event types make those tags? I can then craft the search without tags.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-25-2017 10:53 AM

Hello jairjr,
please read here: http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Manageacceleratedsearchsummaries#Restric...
specially this: "In addition, be careful when accelerating reports whose base searches include tags, event types, search macros, and other knowledge objects whose definitions can change independently of the report after the report is accelerated. If this happens, the accelerated report can return invalid results."

Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-25-2017 10:59 AM

Hi adonio thank you for the answer, I know that using tags is not a good practice but this is just a warning, it should let me enable acceleration. Shouldn't it?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-25-2017 11:49 AM

can you enable acceleration on any search? try index = * | timechart count by host

0 Karma
Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-25-2017 03:21 PM

Yes, I can even go to another saved report and enable it.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...