https://community.splunk.com/t5/Reporting/Schedule-report-with-variable-field/m-p/497947#M7976 <P>First and foremost: maybe what I'm looking for isn't possible or I'm going down the wrong road, in which case, please enlighten me.</P> <P>So say we have search:</P> <P>index=my_index my_field1=* | timechart my_field2</P> <P>I can add this search to a dashboard and make it so, that with a dropdown list I can select what my_field1 will be. So I can generate a result overall, or a specific selection of it.<BR /> Now this search takes a while, so I thought I'd schedule it. This works, but the substition is not scheduled. So in other words, if I use the result in the dashboard, my search result remains "my_field1=*", no matter the substition from the dropdown list.</P> <P>Is there an easy way to schedule all possible outcomes for this search? (they are fixed, so a lookup table for the values is an option)<BR /> Or do I need to look at other mechanisms to speed up the search, and if so, which would that be?</P> <P>Kind regards,<BR /> Herman</P> Wed, 30 Sep 2020 02:28:50 GMT splunkuzleuven 2020-09-30T02:28:50Z https://community.splunk.com/t5/Reporting/Schedule-report-with-variable-field/m-p/497947#M7976 <P>First and foremost: maybe what I'm looking for isn't possible or I'm going down the wrong road, in which case, please enlighten me.</P> <P>So say we have search:</P> <P>index=my_index my_field1=* | timechart my_field2</P> <P>I can add this search to a dashboard and make it so, that with a dropdown list I can select what my_field1 will be. So I can generate a result overall, or a specific selection of it.<BR /> Now this search takes a while, so I thought I'd schedule it. This works, but the substition is not scheduled. So in other words, if I use the result in the dashboard, my search result remains "my_field1=*", no matter the substition from the dropdown list.</P> <P>Is there an easy way to schedule all possible outcomes for this search? (they are fixed, so a lookup table for the values is an option)<BR /> Or do I need to look at other mechanisms to speed up the search, and if so, which would that be?</P> <P>Kind regards,<BR /> Herman</P> Wed, 30 Sep 2020 02:28:50 GMT https://community.splunk.com/t5/Reporting/Schedule-report-with-variable-field/m-p/497947#M7976 splunkuzleuven 2020-09-30T02:28:50Z https://community.splunk.com/t5/Reporting/Schedule-report-with-variable-field/m-p/497948#M7977 <P>Hi splunkuzleuven,<BR /> you should use summary indexes:</P> <UL> <LI>schedule your search choosing a time period and a span adeguate to your needs;</LI> <LI>add to you search the row <CODE>| collect index=my_summary</CODE> ;</LI> <LI>then use the new summary index for your searches as a database table.</LI> </UL> <P>the search to schedule (e.g. every hour) will be something like this:</P> <PRE><CODE>index=my_index my_field1=* earliest=-h@h latest=@h | timechart count BY my_field2 span=1h | collect index=my_summary </CODE></PRE> <P>then you can run something like this:</P> <PRE><CODE>index=my_summary earliest=7d latest=now | timechart sum(count) AS Total BY $my_token$ </CODE></PRE> <P>In this way you can use in your dashboard the results of your report (your scheduled search) that's very quick and you can pass tokens to it.</P> <P>Analyze the collect command to understand if there are any additional options useful for you.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 04 Oct 2019 12:58:09 GMT https://community.splunk.com/t5/Reporting/Schedule-report-with-variable-field/m-p/497948#M7977 gcusello 2019-10-04T12:58:09Z