Solved: This report cannot be accelerated.

DamageSplunk · ‎10-13-2015

I've got a simple search which uses stats. I've saved the dashboard and created a scheduled report but when I go to setup summary indexing I get "This report cannot be accelerated."

The goal of this search is to generate summary events every 15 minutes - today it's nearly impossible to query an entire day or week in less than 4 hours search time.

The search is: index=azure_wadlogs sourcetype=WADLogs host=* | eval time=_time | eval itime=_indextime | eval latency=(itime - time) | stats count as NumEvents, avg(latency) as AvgLatency, min(latency) as MinLatency, max(latency) as MaxLatency by Role | sort +Role

What is preventing me from enabling report acceleration?

masonmorales · ‎10-13-2015

Does your role allow you to accelerate reports? (i.e. does it have the schedule_search capability?)

Take a look at the docs too: http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Schedulereports

View solution in original post

masonmorales · ‎10-13-2015

Does your role allow you to accelerate reports? (i.e. does it have the schedule_search capability?)

Take a look at the docs too: http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Schedulereports

skoelpin · ‎10-13-2015

If you want to accelerate the search then you need to have a transforming search which is made up of transforming commands.. So take your normalized search and tweek it to include a transformation command

http://docs.splunk.com/Splexicon:Transformingsearch

masonmorales · ‎10-13-2015

FYI - stats is considered to be a transforming command. See: http://docs.splunk.com/Documentation/Splunk/6.2.5/Report/Acceleratereports#How_reports_qualify_for_r...

This report cannot be accelerated.

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team