- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to create a dashboard with hidden search u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a poke around in Splunk Answers, but I couldn't find anything on this specifically.
I have a dashboard that has 8+ panels, with maybe more required. Each panel does something slightly different, but each uses the same search string (at least before the first pipe sign). For performance reasons, I'd like to be able to run the search only once for the dashboard (eg. as a base search), and then let the search in the other panels refer back to the initial search. However, I don't want to show the full (or any) results of the initial/base search in the first panel at the top of my dashboard. That is, I want the results of the base search to be "hidden", but accessible by the other searches lower down in the dashboard. I don't want to run the initial search as a saved search, I'd like it be available in (as close as possible to) real time.
Is this possible with Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just put the base searchin the XML (like an init)
< form>
< search id="base_id" >
< query>
< /query >
< /search >
...
< row>
< panel>
< table>
< search base="base_id" >
...
< /form >
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can just put the base searchin the XML (like an init)
< form>
< search id="base_id" >
< query>
< /query >
< /search >
...
< row>
< panel>
< table>
< search base="base_id" >
...
< /form >
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it would be better to use BASE search, but if there are many base search results, performance will deteriorate.
It is effective in the case that uses an aggregation result like a sample.
<Base search>
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/PanelreferenceforSimplifiedXML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, but the question is how do I do a HIDDEN base search. I know how to do a base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@paulski82 I think what @HiroshiSatoh mentioned was that as per your description seems like you want to use streaming results in your base search which will impact performance of dashboard instead of improving it. So, you should ensure to use post-processing only for panels which reuse same transforming result sets and display different column and/or field from the transforming results. If there are too many events in your raw search then the same may also be dropped. Refer to Best Practices Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/Savedsearches#Best_practices
Also what you need to do is create an independent search i.e. a search without a panel and view.
<search id="baseSearch">
<query> your base search query
</query>
</search>
You can use the above documentation to see Chained and Complex Post processing examples which list this approach. They also explain when to use post-processing and when to avoid.
| makeresults | eval message= "Happy Splunking!!!"
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
