Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Accelerating report that uses bucket _time

jpillai
Path Finder
2 weeks ago

Hi All,

I have a report running every 6 hour with below search query. This is fetching hourly availability of haproxy backends based on http response code as shown below.

I need to accelerate this report, but I think the bucket section of the search is disqualifying this for report acceleration. Can someone help with modifying this search so that it can be accelerated or are there any other work arounds to do this to get the exact same table as shown?

 

index=haproxy (backend="backend1" OR backend="backend2")
| bucket _time span=1h
| eval result=if(status >= 500, "Failure", "Success") 
| stats count(result) as totalcount, count(eval(result="Success")) as success, count(eval(result="Failure")) as failure by backend, _time
| eval availability=tostring(round((success/totalcount)*100,3)) + "%" 
| fields _time, backend, success, failure, totalcount, availability

 

_time backend success failure totalcount availability

2024-06-07 04:00backend128666028666100.000%
2024-06-07 05:00backend128666028666100.000%
2024-06-07 06:00backend128712028712100.000%
2024-06-07 07:00backend128697028697100.000%
2024-06-07 08:00backend128678028678100.000%
2024-06-07 09:00backend128714028714100.000%
2024-06-07 04:00backend26180618100.000%
2024-06-07 05:00backend21790179100.000%
2024-06-07 06:00backend25550555100.000%
2024-06-07 07:00backend21030103100.000%
2024-06-07 08:00backend2103901039100.000%
Labels (4)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

It seems perfectly acceleratable. The bin command is a streaming one so the requirements for only streaming commands before first transforming command is fulfilled.

You could try to use summary indexing here though instead of report acceleration - this would give you more flexibility in using the summarized data later should you need to reference it in other searches.

0 Karma
Reply

jpillai
Path Finder
2 weeks ago

Oh wait. I missed to include one last update that was added to the search which is search time window in the search itself. The search uses time window (earliest=@h-6h latest=@h) as shown below. When I removed this, I found that it is possible to set acceleration. Is this a known limitation?

 

index=haproxy (backend="backend1" OR backend="backend2") earliest=@h-6h latest=@h
| bucket _time span=1h
| eval result=if(status >= 500, "Failure", "Success") 
| stats count(result) as totalcount, count(eval(result="Success")) as success, count(eval(result="Failure")) as failure by backend, _time
| eval availability=tostring(round((success/totalcount)*100,3)) + "%" 
| fields _time, backend, success, failure, totalcount, availability

 

 

0 Karma
Reply

jpillai
Path Finder
2 weeks ago

Splunk says "This search cannot be accelerated" when I go to enable acceleration for the report and hit save,

Screenshot 2024-06-09 at 3.03.50 PM.jpg

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageacceleratedsearchsummaries#Restr...

Since the search itself qualifies for acceleration, most probably your user role either lacks capabilities to enable accelerations or write permissions for the report.

0 Karma
Reply

jpillai
Path Finder
2 weeks ago

Im afraid this is not the the case. I have admin role and I have enabled acceleration for other reports before. Please also note that the error is "*This search* can not be accelerated" as mentioned in above replies.

0 Karma
Reply

jpillai
Path Finder
2 weeks ago

Oh wait. I missed to include one last update that was added to the search which is search time window in the search itself. The search uses time window (earliest=@h-6h latest=@h) as shown below. When I removed this, I found that it is possible to set acceleration. Is this a known limitation?

index=haproxy (backend="backend1" OR backend="backend2") earliest=@h-6h latest=@h
| bucket _time span=1h
| eval result=if(status >= 500, "Failure", "Success") 
| stats count(result) as totalcount, count(eval(result="Success")) as success, count(eval(result="Failure")) as failure by backend, _time
| eval availability=tostring(round((success/totalcount)*100,3)) + "%" 
| fields _time, backend, success, failure, totalcount, availability

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

I suppose one can argue that it falls under the "cannot use sampling" restriction but I agree that it could be more explicitly worded.

There is a feedback form at the end of the docs page. You're more than welcome to send feedback about this missing info. They do read it and react!

0 Karma
Reply

tscroggins
Influencer
2 weeks ago

Hi @jpillai,

It should work as written, although you don't need the extra fields command.

What process did you use to accelerate the report? If you used Splunk Web, were any errors reported by the user interface?

0 Karma
Reply

jpillai
Path Finder
2 weeks ago

I used splunk web interface, went to reports > edit acceleration for the specific report > clicked save and it says "This search cannot be accelerated". Please find screenshot in the other reply.

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...