Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does my dashboard crash when a search populates dropdown values?

tkwaller
Builder
‎12-07-2016 01:40 PM

Hello

I have a dashboard that exhibiting some strange behavior. I have the dashboard panel with the dropdowns that populate via searches, when I load the dashboard the page crashes

When I remove these dropdown fields, the dashboard has no problems.

This is the code for the 2 dropdowns but like I said the page crashes with them.

  <label>Proc</label>
    <search>
      <query>index=api host=*xxx* requestURI="/xxx/xxx/xx/*" ucm=true | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | transaction transactionId maxspan=10s | search "Inbound" OR "Outbound" | dedup proc | stats count by proc | rename proc as ProcName | table ProcName</query>
      <earliest>-4h@m</earliest>
      <latest>now</latest>
    </search>
    <fieldForLabel>ProcName</fieldForLabel>
    <fieldForValue>ProcName</fieldForValue>
  </input>
  <input type="dropdown" token="status_code_tok|s" searchWhenChanged="true">
    <label>Status Code</label>
    <search>
      <query>index=api host=*xxx* requestURI="/xxx/xxx/xxx/*" ucm=true | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | transaction transactionId maxspan=10s | search "Inbound" OR "Outbound" | stats count by statusCode | rename statusCode as StatusCode| table StatusCode</query>
      <earliest>-60m@m</earliest>
      <latest>now</latest>
    </search>
    <fieldForLabel>StatusCode</fieldForLabel>
    <fieldForValue>StatusCode</fieldForValue>
  </input>

Any ideas what the issue may be?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tkwaller
Builder
‎12-08-2016 06:25 AM

I figured out why the dashboard is crashing in the search for the inputs the |s filter for the token was killing it. So i removed that then updated my dashboard searches.
So I just added prefixes and suffixes as needed for the searches and good to go.
Thanks for the ideas!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tkwaller
Builder
‎12-08-2016 06:25 AM

I figured out why the dashboard is crashing in the search for the inputs the |s filter for the token was killing it. So i removed that then updated my dashboard searches.
So I just added prefixes and suffixes as needed for the searches and good to go.
Thanks for the ideas!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-08-2016 05:54 AM

See if this works. My guess is you have two long running queries. Change your dashboard to use post-processing searches to optimize it.

     <search id="baseQuery">
       <query>index=api host=*xxx* requestURI="/xxx/xxx/xx/*" ucm=true "Inbound" OR "Outbound" | rename clientIP AS clientip | lookup dnslookup clientip OUTPUT clienthost | stats count by proc statusCode</query>
    <search>

   <label>Proc</label>
     <search base="baseQuery">
       <query>| table proc | rename proc as ProcName | dedup ProcName</query>
       <earliest>-4h@m</earliest>
       <latest>now</latest>
     </search>
     <fieldForLabel>ProcName</fieldForLabel>
     <fieldForValue>ProcName</fieldForValue>
   </input>
   <input type="dropdown" token="status_code_tok|s" searchWhenChanged="true">
     <label>Status Code</label>
     <search base="baseQuery">
       <query>| dedup statusCode | rename statusCode as StatusCode| table StatusCode</query>
       <earliest>-60m@m</earliest>
       <latest>now</latest>
     </search>
     <fieldForLabel>StatusCode</fieldForLabel>
     <fieldForValue>StatusCode</fieldForValue>
   </input>

Here's documentation on post-process searches http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Post-process_searches

Reply
Solved! Jump to solution

tkwaller
Builder
‎12-08-2016 06:09 AM

I cloned the dashboard and tried this as well, same issue. As soon as I pick an option the page crashes

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎12-08-2016 06:48 AM

I did use this in the dashobard, good thought

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎12-08-2016 05:50 AM

those look like complex searches for inputs. transactions generally are not the best for processing. I'd try to find a way to rewrite the inputs more efficiently. possibly use a |streamstats time_window=10s transactionId

Reply
Solved! Jump to solution

tkwaller
Builder
‎12-08-2016 05:59 AM

So I broke the first dropwdown search down to this instead:
index=apigateway host=*xxx* requestURI="/xxx/xx/xx/*" ucm=true | search "Inbound" OR "Outbound" | dedup proc | stats count by proc | rename proc as ProcName | table ProcName

but still when I make the selection in the dropdown the page crashes

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎12-08-2016 06:13 AM 
index=apigateway host=*xxx* requestURI="/xxx/xx/xx/*" ucm=true ( "Inbound" OR "Outbound") | stats count by proc | rename proc as ProcName | fields ProcName

try something like that. you shouldn't need to |search right after the base and dedup shouldn't matter if you're just trying to get unique ProcNames for a dropdown.

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎12-08-2016 06:48 AM

great ideas, optimization definitely improved performance

0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎12-07-2016 02:21 PM

your revision clipped the opening <input> tag

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...