Thanks for the help, I haven't got it worked out. I'm more of a equipment maintainer and not an admin. I was just taking my best shot at creating a firewall log tracker that can be a tool when not onsite or in telework situations. this is the environment we have been in since the beginning of COVID-19.  It takes me more time to figure things out because I am un familiar with the process of creating this kind of tool.

I have created a dashboard,  and have the table view that I want, but when trying to create a search panel with dropdown I seem to bog the system down due to the large amount of data being collected from our firewalls. Is there a way to other that a Base_Search to populate my dropdowns? currently I am using | stats count as (xxx) for all of the dropdowns I have in the search panel. Any help would be appreciated.

Hi @Schwarzkopfr,

to have a quick load of a dropdown input, you have four solutions:

• if you have few static values to search, you could configure static values instead of a dynamic search;
• you could use a text box that doesn't need a search;
• if you have many values, you could schedule a search (e.g. every night or every hour) with only the values to use in the dropdown, saving results in a lookup and then use the lookup for your dropdown;
• you could use a datamodel or a Summary index.

The last solution is usually the one used with a large amount of data (e.g. firewalls or proxies) because you can use it both for faster dropdowns and panels.

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Aboutdatamodels or https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usesummaryindexing 

Ciao.

Giuseppe

Thank you for this information.

I am working to create a usable tool for us to use while working remotely that can accomplish some troubleshooting of the firewalls when other groups are having connection issues and think its a issue with our firewall.

I have created a table that mimics the log tracker view we see when we are onsite, using:

index=firewall* .

I have also created a dashboard search panel of dropdowns to act as a filter to easily search for specific issues like; source + destination + protocol + action., etc... with a submit button to trigger the search.

Would like to keep that data fresh, maybe I need to add a time picker to the search panel.

Hi @Schwarzkopfr,

a Time Picker is always a good idea in your dashboards!

Anyway, take in consideration the idea of using accelerated searches or Data Models o Summary indexes: in this way you loose the real time view but you have responsee times vere very faster than normal searches.

Anyway, if you want continously updated data, you could set up an update time of 5 ore 10  minutes.

Ciao.

Giuseppe

Thank you. 

Hi @Schwarzkopfr.,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Either use indexed fields or accelerated datamodels to be able to do quick stats. Otherwise you just have lots of data and processing it takes time (and memory).

If you just want to do simple stats from default fields (host, source, sourcetype) or just want to count all events, you can do tstats instead of stats.

working to create a usable tool for us to use while in a remote status that can accomplish some troubleshooting of the firewalls when other groups are having connection issues and think its a issue with our firewall. I have created a table that mimics the log tracker using index=firewall* . I have also created a search panel of dropdowns to act as a filter to easily search for specific issues like; source + destination + protocol + action., etc... with a submit button to trigger the search.

I'd prefer to keep the data fresh, maybe a six hour search window that will refresh at some interval.