Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- report acceleration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
report acceleration
Hi,
I have the bellow search:
I am trying to use acceleration reporting however because the eventstats I can't, I have tried to rewrite the search however it does not work, could someone please help me?
index=test sourcetype=test
| eval ResponseTime=round(response_time/1000,2)
| eventstats perc99(ResponseTime) as p99Resp
| eventstats perc90(ResponseTime) as p90Resp
|eventstats perc75(ResponseTime) as p75Resp
| eval p99Unit=if(ResponseTime<=p99Resp,0,1)
| eval p00Response=ResponseTime
| eval p98Response=if(ResponseTime<=p99Resp,ResponseTime,null())
| eval p99Response=if(ResponseTime<=p99Resp,null(),ResponseTime)
| eval p90Unit=if(ResponseTime<=p90Resp,0,1)
| eval p90Response=if(ResponseTime<=p90Resp,ResponseTime,null())
| eval p90Response=if(ResponseTime<=p90Resp,null(),ResponseTime)
| eval p75Unit=if(ResponseTime<=p75Resp,0,1)
| eval p75Response=if(ResponseTime<=p75Resp,ResponseTime,null())
| eval p75Response=if(ResponseTime<=p75Resp,null(),ResponseTime)
| stats sum(p99Unit) as P99Count, avg(p99Response) as p99ResponseAvg, min(p99Response) as p99ResponseMin, max(p99Response) as p99ResponseMax sum(p90Unit) as P90Count, avg(p90Response) as p90ResponseAvg, min(p90Response) as p90ResponseMin, max(p90Response) as p90ResponseMax sum(p75Unit) as P75Count, avg(p75Response) as p75ResponseAvg, min(p75Response) as p75ResponseMin, max(p75Response) as p75ResponseMax
| rename P99Count as "99% Total Count"
| rename p99ResponseAvg as "99% AVG"
| rename p99ResponseMin as "99% Min Response Time"
| rename p99ResponseMax as "99% Max Response Time"
| rename P90Count as "90% Total Count"
| rename p90ResponseAvg as "90% AVG"
| rename p90ResponseMin as "90% Min Response Time"
| rename p90ResponseMax as "90% Max Response Time"
| rename P75Count as "75% Total Count"
| rename p75ResponseAvg as "75% AVG"
| rename p75ResponseMin as "75% Min Response Time"
| rename p75ResponseMax as "75% Max Response Time"
Thanks
Joe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With report acceleration you are restricted to a limited number of commands. See this documentation:
https://docs.splunk.com/Documentation/Splunk/8.2.1/Report/Acceleratereports#Search_mode_and_report_a...
You might be better off using an accelerated datamodel which includes only the fields and time range you need.
https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Acceleratedatamodels
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply,
I thought you couldn't accelerate a data model with an event stats command?
AI for AppInspect
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
