Dashboards & Visualizations

need help with saved reports and dashboards

splunkuseradmin
Path Finder

hi all,

I basically have a very large query with many of evals, stats, streamstats and lookup is also used. which gives the utilization and average utilization for all call records from CDR with total 6 fields.
so wanted to run this query for last 12 months and saved that as a report and scheduled for every month on 2nd(to manage TZ related differences). I even saved this report in a dashboard.
here I have 2 question.
1.when ever i open dashboard looks like again the DB is running for last 12 months because it takes too much time to load the results in panels?
note:- my aim was to add a panel using reports and juss display that cached report in dashboard.
2.after we save the report by taking time range picker(yes) and if I wanted to look for the data only for last 3rd month from that 12 months of data, will it sort out to show that results in dashboard from that cached report?

0 Karma

DavidHourani
Super Champion

Hi @splunkuseradmin,

To answer your first question :
To avoid running the search against the entirety of your data every time you should schedule the search and then use the saved search results to display it. Make sure you include the time field in your report so you can reuse it for question 2.
Reference documentation here : https://docs.splunk.com/Documentation/Splunk/7.3.0/Report/Schedulereports#Schedule_a_report

Now to answer your second question :
Now that you have your results scheduled and saved with the time field you can reuse the search results using the loadjobcommand as @rob_jordan mentioned :

| loadjob savedsearch="admin:search:MySavedSearch"

Let me know if that helps.

Cheers,
David

0 Karma

splunkuseradmin
Path Finder

thanks for the reply.
was wondering how would i add a time picker in dashboard so i can access the data only for the time(last 4 months) i want not for all 12 months. so yes, keeping in mind" _time > earliest AND _time < latest"

I believe need to change in xml ? below is my xml from the saved report which just display the cached data, what do I need to do if I want to change the dates in between cached 12 months.

ex., | loadjob savedsearch="admin:search:MySavedSearch" | where _time>$time_tok.earliest$ AND _time>$time_tok.latest$

will workout?

testloadjob

<input type="time" token="time_tok" searchWhenChanged="true">
  <label>Select Time</label>
  <default>
    <earliest>-4mon@mon</earliest>
    <latest>@mon</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>|loadjob savedsearch="foo:zoo:boo"| where _time&lt;"$timepicker.latest$" AND _time&gt;"$time_tok.earliest$"</query>
      <sampleRatio>1</sampleRatio>
    <earliest>$time_tok.earliest$</earliest>
    <latest>$time_tok.latest$</latest>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <format type="number" field="audio_minutes"></format>
    <format type="number" field="video_minutes"></format>
    <format type="number" field="end_time"></format>
    <format type="number" field="start_time"></format>
  </table>
</panel>
0 Karma

bandit
Motivator

Try using a scheduled report and the loadjob command to return your cached base search results then you can pipe into individual stats commands for each panel etc.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

0 Karma

splunkuseradmin
Path Finder

thanks for replying. I believed this would be the answer but any suggestions for below xml ? for the time range changes in dashbaord for the saved report. where _time >earliest AND _time

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...