Post-process / Base search is slow

sojanmathew — Sat, 28 Apr 2018 02:17:32 GMT

I've base search / post process as follows, but it is taking more time than separate in-line query.

<search id="baseSearch">
    <query>
      index=testapp OutgoingCall=google  | stats count by Result
    </query>
    <earliest>-1d@h</earliest>
    <latest>now</latest>
  </search>

<panel>
      <single>
        <title>Total</title>
        <search base="baseSearch">
          <query>
            stats sum(count)
          </query>
        </search>
      </single>
    </panel>

<panel>
<single>
 <search base="baseSearch">
          <query>
             search Result=Success | stats sum(count) AS successCount 
            </query>
        </search>
</single>
</panel>
<panel>
      <single>
        <title>Failed</title>
        <search base="baseSearch">
          <query>search Result=Failed | stats sum(count) as failedCount</query>
        </search>
      </single>
    </panel>

I used following doc as reference:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/Savedsearches

Why this is very slow? Am I doing something wrong ?
Note: splunk enterprise ver 6.6.3

Re: Post-process / Base search is slow

Richfez — Sat, 28 Apr 2018 21:53:44 GMT

What do you mean by "taking more time?" How much more time are we talking about?

Re: Post-process / Base search is slow

niketn — Tue, 29 Sep 2020 19:19:38 GMT

@sojanmathew, since you are on Splunk 6.6.3 even if you have multiple rows of Results you can use Trellis Layout to Split the Single Values by Results. Even if you wanted to use two separate Single Value Panels(in case formatting options for both Single Value are different), you can use stats with eval to get Success and Failed count in Single row and then use Search Event Handler <done> or <progress> to pass on the result to Single Value Panels.

Try the following run anywhere dashboard example based on Splunk's _internal index:
(PS: I have converted log_level as per required field/value i.e. Result="Success" and Result="Failed")

<dashboard>
  <label>Single Value Success And Failed</label>
  <row>
    <panel depends="$alwaysHideCSSPanel$">
      <html>
        <style>
          #singleSuccess h3.dashboard-element-title, #singleFailed h3.dashboard-element-title{
            text-align:center !important;
          }
        </style>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Stats Generates Single Row One Column for Failed and Another for Success</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
          | eval Result=if(log_level="INFO","Success","Failed")
          | stats count(eval(Result=="Failed")) as Failed count(eval(Result=="Success")) as Success</query>
          <earliest>-1d@h</earliest>
          <latest>now</latest>
          <done>
            <condition match="$job.resultCount$==0">
              <set token="tokSuccess">0</set>
              <set token="tokFailed">0</set>
            </condition>
            <condition>
              <set token="tokSuccess">$result.Success$</set>
              <set token="tokFailed">$result.Failed$</set>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Two Single Value visualizations in the same Panel</title>
      <single id="singleSuccess">
        <title>Failed</title>
        <search>
          <query>| makeresults 
| fields - _time
| eval Failed=$tokFailed$</query>
          <earliest>-1s</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <option name="useThousandSeparators">0</option>
      </single>
      <single id="singleFailed">
        <title>Success</title>
        <search>
          <query>| makeresults
| fields - _time
| eval Success=$tokSuccess$</query>
          <earliest>-1s</earliest>
          <latest>now</latest>
        </search>
        <option name="refresh.display">progressbar</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Stats generates two rows one for Failed and another for Success</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
          | eval Result=if(log_level="INFO","Success","Failed")
          | stats count by Result</query>
          <earliest>-1d@h</earliest>
          <latest>now</latest>
          <progress>
            <condition match="$job.resultCount$==0">
              <set token="tokSuccess">0</set>
              <set token="tokFailed">0</set>
            </condition>
            <condition>
              <set token="tokSuccess">$result.Success$</set>
              <set token="tokFailed">$result.Failed$</set>
            </condition>
          </progress>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Single Value Using Trellis</title>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
          | eval Result=if(log_level="INFO","Success","Failed")
          | stats count by Result
          </query>
          <earliest>-1d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="height">150</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
</dashboard>

PS: CSS Override also has been used in the example to align the Single Value visualization Title to Center.

topic Re: Post-process / Base search is slow in Monitoring Splunk

Post-process / Base search is slow

Re: Post-process / Base search is slow

Re: Post-process / Base search is slow