Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Populating Multiple Dashboard Panels, From One...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to run a search against a slow index, with a lot of data. I am not an admin, and can not engage acceleration. I am looking for the most efficient way of getting the panels to populate. I was thinking that would be to do a base search that included all that I was looking for, and then have the sub-searches pull what I was specifically looking for from the main search. For instance...
The main search might look like:
<dashboard>
<label>Really Great Dashboard</label>
<description>Woo Hoo!</description>
<search id="base">
<query>
index=thatIndex sourcetype="thatSubtype" (RandoFieldName=1 OR RandoFieldName=2 OR RandoFieldName=3)
</query>
</search>
I would use that as the starting point. Then the dashboards would have:
<search base="base">
<query>
| search RandoFieldName=1
| stats count by RandoFieldName=1
| where count>10
| stats dc(RandoFieldName=1)
</query>
</search>
But, when I try to get that to work, I end up with the search gobbling up a large amount of disk space, or if I remove the "|search" from the query, I get either an error, or a zero.
I figure that I am close, but I don't know what I am doing wrong. I have tried to google for an answer for this, but I seem to be asking with terms that are not producing the results that I am looking for. Some are close-ish, but none are hitting the mark. If someone could point me in the right direction, it would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
<dashboard>
<label>Really Great Dashboard</label>
<description>Woo Hoo!</description>
<search id="base">
<query>
index=thatIndex sourcetype="thatSubtype" (RandoFieldName=1 OR RandoFieldName=2 OR RandoFieldName=3) | stats count BY RandoFieldName
</query>
</search>
and like this:
<search base="base">
<query>
search RandoFieldName=1
</query>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
<dashboard>
<label>Really Great Dashboard</label>
<description>Woo Hoo!</description>
<search id="base">
<query>
index=thatIndex sourcetype="thatSubtype" (RandoFieldName=1 OR RandoFieldName=2 OR RandoFieldName=3) | stats count BY RandoFieldName
</query>
</search>
and like this:
<search base="base">
<query>
search RandoFieldName=1
</query>
</search>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a fields command in the base search with list of all the fields that you're going to use in the child searches. Keep only what's required.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
