All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with post processing search macro

vinodhchirumail
Engager
‎08-22-2019 11:46 PM

I have 5-6 panels in a dashboard, they are loading slowly.
I know I can speed it up by post search processing.
My question is - How to load 2nd panel after 1st panel has finished and so on.
Do I need to write a custom macro for that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-23-2019 08:48 AM

hi @vinodhchirumailla
if you just have a series of panels and you want to load them one after the other, you can set a token under the tag for one panel and then use a global comment macro (no need to write your own macro) for the next panel to start executing only after the first one finishes. Try something like this
This is for first panel, you need to add a token in the tag like this

   <done>
            <set token="show2"></set>

          </done>

Now you re-use this token in panel 2, something like this

<search>
          <query>index= index=blah blah `comment("start execution only if $show2$ IS SET")` |rest of your query....
....

You can in theory form a solution where panel 2 sets a token show3 under its done tag and then you re-use it in the search query for panel 3 and so on and so forth...

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎08-23-2019 09:09 AM

@vinodhchirumailla before considering Post-Processing, have you identified why your search query is having performance issues?

Also if you have how post-processing is going to help you? Are all panel queries correlated so that you can use data from one panel to be chained to other? Do consider Post-Processing best practices to ensure that you are using it right way (instead of passing entire raw data sets to various panels and filtering complete data set as needed): https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-23-2019 08:48 AM

hi @vinodhchirumailla
if you just have a series of panels and you want to load them one after the other, you can set a token under the tag for one panel and then use a global comment macro (no need to write your own macro) for the next panel to start executing only after the first one finishes. Try something like this
This is for first panel, you need to add a token in the tag like this

   <done>
            <set token="show2"></set>

          </done>

Now you re-use this token in panel 2, something like this

<search>
          <query>index= index=blah blah `comment("start execution only if $show2$ IS SET")` |rest of your query....
....

You can in theory form a solution where panel 2 sets a token show3 under its done tag and then you re-use it in the search query for panel 3 and so on and so forth...

Reply
Solved! Jump to solution

vinodhchirumail
Engager
‎08-27-2019 11:56 PM

I tried the above and it works , thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-23-2019 06:28 AM

Base searches run before post-processing searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...