Splunk Search
Highlighted

Why I am unable to accelerate this report?

Motivator

Hi, I wonder whether someone may be able to help me please.

I'm trying to get to grips with 'Report Acceleration' and I've managed to create one, but I think this was more luck than knowledge.

I'm trying to accelerate the report below, but for some reason, Splunk tells me that it's unable to do so.

 index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  | eval shortForm='detail.formId'."  " | eval shortForm =  substr(shortForm, 1, 6) | sort 0  detail.messageId  | stats dc(detail.messageId) first(shortForm) as shortForm by "detail.messageId" | chart count by shortForm  | eval pieSlice=shortForm  + " " + count  | fields pieSlice, count

I've been reading through the documentation and through a tutorial in a book I have (Splunk Operational Intelligence Cookbook), and I think I have the correct streaming and transforming commands in place, so I'm unsure why this is failing.

Could someone perhaps tell me please why I'm unable to accelerate this report?

Many thanks and kind regards

Chris

Highlighted

Re: Why I am unable to accelerate this report?

Legend

I believe that the reason this won't accelerate is because you used the sort command (which is not distributable or streaming). But you didn't need sort anyway. I have simplified your search, but it should give the same result:

index= main tags.transactionName = "Send Email Alert"  auditType="TxSucceeded"  
| eval shortForm='detail.formId'."  " 
| eval shortForm =  substr(shortForm, 1, 6) 
| stats first(shortForm) as shortForm by "detail.messageId" 
| chart count by shortForm  
| eval pieSlice=shortForm  + " " + count  
| fields pieSlice, count

Look here for more information on which commands are streaming commands.

View solution in original post

Highlighted

Re: Why I am unable to accelerate this report?

Motivator

Hi @Iguinn, thank you very much for taking the time to reply to my post and for the help. The query works great.

May I just ask, is there a list anywhere of the 'Streaming Commands' which I could refer to?

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Why I am unable to accelerate this report?

Legend

Updated my original answer with a link for you!

0 Karma
Highlighted

Re: Why I am unable to accelerate this report?

Motivator

Hi @Iguinn, thank you for coming back to me with this and for the link.

Many thanks and kind regards

Chris

0 Karma