This was a great example of a metrics input from a CSV file! We've added it to the metrics documentation: http://docs.splunk.com/Documentation/Splunk/7.0.0/Metrics/GetMetricsInOther#Example_of_a_CSV_file_metrics_input We have also updated this topic to clarify the CSV file format requirements for this kind of metrics input. ... View more

At the end of the day, the only way to know for sure is to accelerate the report and see if you get a performance improvement that makes the cost of doing the acceleration* worth it. This guideline in the docs is mainly there to explain why some report accelerations give you larger performance gains than others. *Cost = the cost of having a scheduled search run in the background to build the summary, and the cost in terms of disk storage space for the summary itself. ... View more

There's some overlap between the sort of information you're looking for here and the contents of the new Inherit a Splunk Enterprise Deployment manual. That manual is specifically designed to help admins who find themselves in command of a Splunk deployment that has been up and running for some time. You might find the final topic in that manual of particular interest, as it includes some of the items in your list and covers other subjects that are similar to those items. It's called Investigate knowledge object problems. It includes: Knowledge object naming conflicts Object permissions Object interdependency considerations Finding and reassigning orphaned objects Scheduled searches and search concurrency Report and data model acceleration considerations ... View more

If you want definitive proof that a schedule window is being applied to a search, inspect scheduler.log and see if a window_time field is associated with the search. The true test, of course, is whether the schedule window is effective. You should only apply it to searches that seem to be causing other searches to skip their scheduled runs. If you apply it to a scheduled search and find that the skip frequency for the other searches decreases, that is a good indication that the window is doing its job. ... View more

Ok. The same restriction applies to user-based search filters, unfortunately. The plain truth is that no search filters whatsoever can be applied to accelerated data models or their objects. I'll update the documentation to reflect this. The fact that the filter isn't working for ordinary indexed data is puzzling, however, and I don't have any immediate suggestions to resolve it. If I do, I'll respond here. ... View more

You're partially correct about role-based search filters not being applied to tstats searches. By default they are applied to tstats searches of ordinary indexed data. But they are not applied to tstats searches of accelerated data models and accelerated data model objects. There is a tstats setting that you can use in limits.conf to change this default. This is discussed in the documentation of the tstats command: http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Tstats#Selecting_data ... View more

This method is documented more clearly here: http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Workwithdatasets#Delete_datasets I'll update the documentation so that the two sets of instructions correspond with each other better. Matt Ness, Splunk Documentation ... View more

See also Dataset types and usage in the Knowledge Manager Manual. Data model objects are now classified as a type of dataset. You can open any data model dataset in Pivot from the Datasets listing page (which replaced the Pivot page). ... View more

Ah, looks like someone beat me to this response! ... View more

Can your users see any other Settings page links? If they cannot see other admin-only Settings pages that you have access to, it could be that you need to expand their access in the local.meta file as described here: http://docs.splunk.com/Documentation/Splunk/6.2.2/Security/Addmanagementaccesstocustomroles Note that in this topic, what is referred to as "Manager" is now called "Settings" in the product. ... View more

Report acceleration summary verification is documented here: http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Manageacceleratedsearchsummaries#Verify_a_summary Report acceleration summaries fail verification when the data they contain is inconsistent, meaning that the newer data in the summary has fundamental differences from the older data in the summary. This can happen when (sometimes quite subtle) changes are made to components of the base search, such as a change to the definition of a tag or event type. In your case it could be that the wildcarded source=*license_usage.log is finding data from a wider range of log files now than it did originally. If you're certain that the base search is working properly you can rebuild the summary and then verify the rebuilt summary. You may get better results. As for skipped buckets: the verification process skips buckets that are hot, as well as buckets that are in the process of being built. ... View more

For more information about reusing eval statements, see this topic on calculated fields: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields ... View more

Not in 6.0, unfortunately. That's why the additional capability was added in v6.1--with that you can take away report acceleration and still schedule searches. ... View more

Try taking advantage of the tstatshomepath setting on indexes.conf by defining a different one for each of your indexes. From indexes.conf.spec : tstatsHomePath = <path on index server> * Location where datamodel acceleration TSIDX data for this index should be stored * If specified, MUST be defined in terms of a volume definition (see volume section below) * If not specified it defaults to volume:_splunk_summaries/$_index_name/datamodel_summary, where $_index_name is the name of the index * CAUTION: Path must be writable. * Must restart splunkd after changing this parameter; index reload will not suffice. This subtopic, which covers setup of size-based retention across indexers, provides an example configuration. ... View more

I documented it at the note in the "Configure a filter element" subtopic: http://docs.splunk.com/Documentation/Splunk/latest/Pivot/UsingthePivotvisualizationeditor#Configure_a_filter_element ... View more

This isn't an answer exactly, so I won't frame it as such--but you probably won't get a better idea of what's going on until you investigate the logs of the summarize creation search. It sounds like you have a problem bucket that is causing the summarize creation search to stall or crash. If you're not sure how to perform this analysis, contact Splunk Support. ... View more

This is in response to your comment to rsennett.... First off, if you haven't tried the Data Model and Pivot Tutorial, you probably should. I think it would answer many of your questions. If you have tried it and you're still confused, here's another brief tutorial that hopefully will clarify things. You should be able to build a fairly simple data model that delivers the results you need, given the example you've provided. You'd start by creating a data model that consists of one event-based object. Name the object "Sales." Give it a constraint that isolates the events where a revenue-generating sale occurred, such as Sale_Point = * (I'm assuming this provides the location or store name where something was sold). Assuming the four fields are automatically extracted, add them to the object as auto-extracted attributes: Customer , Amount , Sale_Point . (Date should be added automatically as _time unless it's different from the event timestamp.) Make sure that the attribute types are correctly identified: Customer and Sale_Point are strings and Amount is a number. That should be all you need to do. Save your changes. To accelerate the data model go to the Data Model Manager page (it says "Data Models" at the top and has an Actions column; you get to it from the Data Model Editor page by clicking "Back to Data Models"). Click Edit and select Edit Permissions. Share the object with the App or All Apps. (Only shared objects can be accelerated.) Click Edit again and click Edit Acceleration. In the Edit Acceleration dialog select Accelerate and then select a Summary Range. Summary range is the amount of time that you need to be accelerated. The bigger the range, the more space the acceleration summary will take up on disk and the longer it will take to create, so don't choose a range that is longer than you need it to be. For example, if you don't plan to search over more than the last week or two, select a range of 1 Month. Save your acceleration changes. Your model is now accelerated. Now open the object in Pivot. When you go in, straight away it will give you a count of your events with a Sale_Point value over all time (the column will be titled "Count of Sales"). You can adjust the time filter to search over a shorter time range if you don't need all that data (ideally you should cut it down to within your acceleration Summary Range). In Pivot you can fiddle around to get the charts you're interested in. For example, you could add a Split Row element for the Sale_Point attribute and then replace the "Count of Sales" Column Value element with one that sums up Amount . This would give you the total sum of sales by sale point. Or you could set up a Split Row element for the Customer attribute instead and get the total sum of sales by customer. And then you could use the Filter element to filter out all results but those for a specific sale point or customer (if you wanted to). Hopefully this helps! ... View more

Glad you feel that Splunk's new Pivot feature is off to a good start! Keep in mind that we're just getting rolling with Pivot and will be expanding its range over time. The filter limit attribute list currently only displays the top values in your dataset. This is a bug--a performance-related limitation--that we intend to clear up in an upcoming release. And with regard to subsearches and similar Search features--you can include these and many other advanced search mechanics in root search objects. Root search objects are designed to use just about any kind of search string as long as it returns statistical results in table format (uses transforming commands, in other words). You just have to keep in mind that object hierarchies based on root search objects cannot take advantage of persistent data model acceleration (but they will be covered by ad-hoc acceleration). So at least for now there's trade-off if you want to use a complex search as the foundation of a data model. ... View more