Struggling with this query in Splunk ES. The results come back fine but take a long time to generate. Tried to accelerate it but got an error stating that it can't be accelerated. I have many accelerated queries that use the timechart command (a requirement for accelerated reports), but they were all on Splunk base. First time trying to do this on the ES installation. Any ideas on what is preventing it from being accelerated? FYI - The query is intended to look back 12 months (year to date) and display a vertical graph of all events closed by severity in ES. notable | search status_label="Closed" OR status_label="Resolved" | eval severity_status=severity.":".status_label | fillnull value="unknown" | timechart span=1mon count by severity_status | rename "informational:Closed" AS "Informational","low:Closed" AS "Low","medium:Closed" AS "Medium","high:Closed" AS "High","critical:Closed" AS "Critical" ... View more

Looking for a simple approach to combine two fields into one. Ref: ES / Audit / Incident Review Audit There is no report/dashboard panel that has a breakdown of Open, Closed, Pending, or Resolved by Severity level. Unfortunately, I need to show how many events are OPEN and how many are CLOSED by Severity levels CRITICAL and HIGH. Using a basic search string I can easily pull the data but forcing it to break down into a graph using the above criteria is giving me no end of trouble. Basic search: notable | search severity="high" OR severity="critical" NOT suppression | stats count by status_label | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count I want to combine Open and Pending into a single, combined field value labeled as "Open", and combine Closed and Resolved into a single field value labeled as "Closed". I then need to reflect how many Open and Closed events there are by severity levels CRITICAL and HIGH. I would like to put it in a Column graph, with a time range of monthly since the beginning of the year. Thoughts? ... View more