Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HiddenPostProcess spawns a new realtime search for each dashboard item?

vectorsc
Explorer
‎08-15-2012 01:08 PM

When using a realtime HiddenPostProcess search to power a dashboard, I find that splunk still spawns one RT search for each dashboard item.

I was given to understand this would not occur?
Dashboard works fine, just spawns 60 searches when run.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-15-2012 11:42 PM

This happens once in a while when people use the postprocess modules before really understanding when and where searches get kicked off.

Short answer -- put a single JobProgressIndicator module at the same level of the XML, or above, where all those HiddenPostProcess modules are. That will solve your problem. The JobProgressIndicator is one of the modules that "requires a search to be running", and because of putting that one module at or above the place where the XML branches, a single search will be then dispatched by the framework to serve that one JobProgressIndicator. Then as the data is passed to the various forks below each with their own HiddenPostProcess module, that one dispatched job will be distributed among all the modules, and no further searches will be dispatched.

When you dont have any dispatching module up at the level where it branches, what happens is the data all branches first. Then when that data gets deeper in and the framework realizes it all needs searches kicked off, it has to kick off one search for each branch. Bad news.

For further reading Sideview Utils has a good docs page that gives you an intro to this stuff.

You can install the latest Sideview Utils app (2.1.1) http://sideviewapps.com/apps/sideview-utils/ and then once it's installed you navigate to "Key Techniques > Overview of the Advanced XML"

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-15-2012 11:42 PM

This happens once in a while when people use the postprocess modules before really understanding when and where searches get kicked off.

Short answer -- put a single JobProgressIndicator module at the same level of the XML, or above, where all those HiddenPostProcess modules are. That will solve your problem. The JobProgressIndicator is one of the modules that "requires a search to be running", and because of putting that one module at or above the place where the XML branches, a single search will be then dispatched by the framework to serve that one JobProgressIndicator. Then as the data is passed to the various forks below each with their own HiddenPostProcess module, that one dispatched job will be distributed among all the modules, and no further searches will be dispatched.

When you dont have any dispatching module up at the level where it branches, what happens is the data all branches first. Then when that data gets deeper in and the framework realizes it all needs searches kicked off, it has to kick off one search for each branch. Bad news.

For further reading Sideview Utils has a good docs page that gives you an intro to this stuff.

You can install the latest Sideview Utils app (2.1.1) http://sideviewapps.com/apps/sideview-utils/ and then once it's installed you navigate to "Key Techniques > Overview of the Advanced XML"

Reply
Solved! Jump to solution

abhiram
Explorer
‎11-05-2012 03:08 PM

hi vectorsc,
I have exactly the same issue of panels spawning multiple searches. can u let me know where exactly to place JobProgressIndicator...I tried placing at couple of places above all the hiddenPostProcess modules...its not working.

0 Karma
Reply
Solved! Jump to solution

vectorsc
Explorer
‎08-16-2012 08:32 AM

This was 100% accurate and the answer of moving the JobProgressIndicator to the top level worked perfectly.

Additionally, leaving it out of the XML altogether was not functional for other people looking at this question.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...