Solved: Re: Acceleration grayed out

jairjr · ‎04-24-2017

Any idea why I can't enable acceleration for this simple transformation:

sourcetype=iis tag::host="aDC" OR tag::host="bDC" OR tag::host="cDC" | timechart count by tag::host

jairjr · ‎04-26-2017

This worked:
sourcetype=iis | eval hosttag = if("tag::host" == "c" OR "tag::host" == "b" OR "tag::host" == "c", "tag::host", null()) | timechart count by tag::host

if I try "| timechart count by hosttag" I get a count named NULL instead.

View solution in original post

jairjr · ‎04-26-2017

This worked:
sourcetype=iis | eval hosttag = if("tag::host" == "c" OR "tag::host" == "b" OR "tag::host" == "c", "tag::host", null()) | timechart count by tag::host

if I try "| timechart count by hosttag" I get a count named NULL instead.

lguinn2 · ‎04-26-2017

In an eval command, the single quotes are used to enclose field names that have special characters on the right side of the equals sign (=).

jkat54 · ‎04-25-2017

I'm curious what happens if you try this:

sourcetype=iis 
| eval hosttag=if('tag::host'=="aDC" OR 'tag::host'=="bDC" OR 'tag::host'=="cDC"),'tag::host',null())
| timechart count by hosttag

I don't know if the single quotes around tag::host are needed or if this will even work at all. Just curious.

jairjr · ‎04-26-2017

The single quotes are needed, and I was able to enable acceleration just fine, thank you. Can you let me know why this way worked?

jairjr · ‎04-26-2017

But interesting, that way the hosttag var is not populated.

jkat54 · ‎04-26-2017

Did it work or not?

If not, can you show me what event types make those tags? I can then craft the search without tags.

adonio · ‎04-25-2017

Hello jairjr,
please read here: http://docs.splunk.com/Documentation/Splunk/6.5.3/Knowledge/Manageacceleratedsearchsummaries#Restric...
specially this: "In addition, be careful when accelerating reports whose base searches include tags, event types, search macros, and other knowledge objects whose definitions can change independently of the report after the report is accelerated. If this happens, the accelerated report can return invalid results."

jairjr · ‎04-25-2017

Hi adonio thank you for the answer, I know that using tags is not a good practice but this is just a warning, it should let me enable acceleration. Shouldn't it?

adonio · ‎04-25-2017

can you enable acceleration on any search? try index = * | timechart count by host

jairjr · ‎04-25-2017

Yes, I can even go to another saved report and enable it.

Acceleration grayed out

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation