Why doesn’t the report qualify for report accelera...

ddrillic · ‎04-25-2019

We have a report such as -

index=<index name>
            (  URI=<a certain uri> OR 
               URI=<a certain uri> OR 
               URI=<a certain uri> ....
            )
| dedup <field name>
| rename <fields>
| eval <new time field>=_time
| table <fields>
| fillnull

Why wouldn’t it qualify for report acceleration?

codebuilder · ‎04-25-2019

Your query is not using any transforming/streaming commands and therefore does not qualify. You need to use stats, timechart, etc.

This section has more detailed information:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Knowledge/Aboutsummaryindexing

----
An upvote would be appreciated and Accept Solution if it helps!

ddrillic · ‎04-25-2019

Great, is there a way to convert the table command to a streaming command?

codebuilder · ‎04-29-2019

You can perform an eval on one of the fields being returned, or add stats, timechart, etc. Any of those should make it qualify.

----
An upvote would be appreciated and Accept Solution if it helps!

Why doesn’t the report qualify for report acceleration?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why doesn’t the report qualify for report acceleration?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem