How to implement base search for servers traffic m...

asplunk789 · ‎12-15-2022

Hi Team,

How to implement the base search functionality to improve the loading time of Splunk dashboard. I have multiple panels with many server types. Each panel has one type of server. Every time when am changing the time filter, taking so much time to load the panels with each server traffic data.

So how I can improve this loading time by implementing the base search functionality? Please suggest on this.

FelixLeh · ‎12-15-2022

Hi @asplunk789!
Here is a run anywhere Dashboard that uses a base search in multiple panels with a dynamic time input.
Remember that you can run into trouble using base searches when the data from you base search is not in table format/has not run any transformative commands before piping them into the panels. In the given example this is not a problem because data from "| makeresults" is already in a table format. With event based data it can help to run a "| table" or "| stats" command at the end of the base search if you have trouble getting results.

As @gcusello said in the reply to my post it is not necessary to use a command like "| table" or "| stats" to get a results from your base search. Using "| fields" to specify what fields you want to keep is sufficient.
Though you can still of course use commands like "| stats" in the base search if it suits you use case!

Hope this helps!

<form version="1.0">
<search id="base1">
<query>
| makeresults count=10
| eval Test = "This is a Test Event"
</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<label>Test Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="time_token">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search base="base1">
<query>| stats count</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<search base="base1">
<query>| fields *</query>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

gcusello · ‎12-15-2022

Hi @FelixLeh,

if in the base search you haven't a streaming command (as stats or timechart) you have to list all the fields to use in the panels using the "fields" command, otherwise, your panels aren't populated.

Ciao.

Giuseppe

FelixLeh · ‎12-15-2022

Thanks I didn't know that. Thought you'd have to transform it to get a result but I've checked it and you are absolutely correct! I will adjust my answer accordingly.

gcusello · ‎12-15-2022

Hi @asplunk789,

could you share your searches?

Anyway you have to find the common part of searches that you can put in the base search, possible using a streming command to reduce results, e.g. put in the base search the mainsearch and a stats command, then i each panel, you can filter results displaying only one or few values.

in the meantime, install and see the Splunk Dashboard Examples App (https://splunkbase.splunk.com/app/1603), where you can find a sampleabout post process search implementation.

Ciao.

Giuseppe

How to implement base search for servers traffic monitoring dashboards?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation