Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Acceleration grayed out

jairjr
Path Finder
‎04-24-2017 09:15 PM

Any idea why I can't enable acceleration for this simple transformation:

sourcetype=iis tag::host="aDC" OR tag::host="bDC" OR tag::host="cDC" | timechart count by tag::host

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jairjr
Path Finder
‎04-26-2017 11:31 AM

This worked:
sourcetype=iis | eval hosttag = if("tag::host" == "c" OR "tag::host" == "b" OR "tag::host" == "c", "tag::host", null()) | timechart count by tag::host

if I try "| timechart count by hosttag" I get a count named NULL instead.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jairjr
Path Finder
‎04-26-2017 11:31 AM

This worked:
sourcetype=iis | eval hosttag = if("tag::host" == "c" OR "tag::host" == "b" OR "tag::host" == "c", "tag::host", null()) | timechart count by tag::host

if I try "| timechart count by hosttag" I get a count named NULL instead.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-26-2017 01:55 PM

In an eval command, the single quotes are used to enclose field names that have special characters on the right side of the equals sign (=).

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-25-2017 06:02 PM

I'm curious what happens if you try this:

sourcetype=iis 
| eval hosttag=if('tag::host'=="aDC" OR 'tag::host'=="bDC" OR 'tag::host'=="cDC"),'tag::host',null())
| timechart count by hosttag

I don't know if the single quotes around tag::host are needed or if this will even work at all. Just curious.

Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-26-2017 09:33 AM

The single quotes are needed, and I was able to enable acceleration just fine, thank you. Can you let me know why this way worked?

0 Karma
Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-26-2017 09:41 AM

But interesting, that way the hosttag var is not populated.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-26-2017 10:28 AM

Did it work or not?

If not, can you show me what event types make those tags? I can then craft the search without tags.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-25-2017 10:53 AM

Hello jairjr,
please read here: http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Manageacceleratedsearchsummaries#Restric...
specially this: "In addition, be careful when accelerating reports whose base searches include tags, event types, search macros, and other knowledge objects whose definitions can change independently of the report after the report is accelerated. If this happens, the accelerated report can return invalid results."

Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-25-2017 10:59 AM

Hi adonio thank you for the answer, I know that using tags is not a good practice but this is just a warning, it should let me enable acceleration. Shouldn't it?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-25-2017 11:49 AM

can you enable acceleration on any search? try index = * | timechart count by host

0 Karma
Reply
Solved! Jump to solution

jairjr
Path Finder
‎04-25-2017 03:21 PM

Yes, I can even go to another saved report and enable it.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...