Re: SPL2 searches acceleration

artkhod

Hi,

I haven't seen the acceleration mentioned anywhere in regards to SPL2.

I have saved a sample search as a report form the search box and noticed that the report is saved as `| @spl2 search ...` which prompts a question what would theoretically happen if we were able to accelerate it? Would the SPL2 searches that use the accelerated report as a base benefit from summaries? Is acceleration something that would be introduced with SPL2 views/searches?

As of now, I assume it is not possible, since trying to accelerate a search with @spl2 gives a 'malformed search' error which is different to 'report cannot be accelerated' error that appears when the report does not satisfy the condition.

Thank you in advance.

VatsalJagani

@artkhod - I don't think it has been documented anywhere in Splunk Docs that accelerated report supports SPL2. FYI, I also didn't find its documented anywhere that it does not support as well.

Maybe if you need it as a feature you can submit it as an idea to https://ideas.splunk.com

SPL2 searches acceleration

other

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation