Dashboards & Visualizations

How to create a dashboard with hidden search used as base?

paulski82
New Member

I had a poke around in Splunk Answers, but I couldn't find anything on this specifically.

I have a dashboard that has 8+ panels, with maybe more required. Each panel does something slightly different, but each uses the same search string (at least before the first pipe sign). For performance reasons, I'd like to be able to run the search only once for the dashboard (eg. as a base search), and then let the search in the other panels refer back to the initial search. However, I don't want to show the full (or any) results of the initial/base search in the first panel at the top of my dashboard. That is, I want the results of the base search to be "hidden", but accessible by the other searches lower down in the dashboard. I don't want to run the initial search as a saved search, I'd like it be available in (as close as possible to) real time.

Is this possible with Splunk?

0 Karma
1 Solution

hallt3
Path Finder

You can just put the base searchin the XML (like an init)

< form>
< search id="base_id" >
< query>
< /query >
< /search >

...

< row>
< panel>
< table>
< search base="base_id" >
...

< /form >

View solution in original post

0 Karma

hallt3
Path Finder

You can just put the base searchin the XML (like an init)

< form>
< search id="base_id" >
< query>
< /query >
< /search >

...

< row>
< panel>
< table>
< search base="base_id" >
...

< /form >

0 Karma

HiroshiSatoh
Champion

I think it would be better to use BASE search, but if there are many base search results, performance will deteriorate.
It is effective in the case that uses an aggregation result like a sample.

<Base search>
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/PanelreferenceforSimplifiedXML

0 Karma

paulski82
New Member

OK, but the question is how do I do a HIDDEN base search. I know how to do a base search.

0 Karma

niketn
Legend

@paulski82 I think what @HiroshiSatoh mentioned was that as per your description seems like you want to use streaming results in your base search which will impact performance of dashboard instead of improving it. So, you should ensure to use post-processing only for panels which reuse same transforming result sets and display different column and/or field from the transforming results. If there are too many events in your raw search then the same may also be dropped. Refer to Best Practices Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices

Also what you need to do is create an independent search i.e. a search without a panel and view.

<search id="baseSearch"> 
    <query> your base search query
    </query>
</search> 

You can use the above documentation to see Chained and Complex Post processing examples which list this approach. They also explain when to use post-processing and when to avoid.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...