Re: need help with saved reports and dashboards

splunkuseradmin · ‎07-02-2019

hi all,

I basically have a very large query with many of evals, stats, streamstats and lookup is also used. which gives the utilization and average utilization for all call records from CDR with total 6 fields.
so wanted to run this query for last 12 months and saved that as a report and scheduled for every month on 2nd(to manage TZ related differences). I even saved this report in a dashboard.
here I have 2 question.
1.when ever i open dashboard looks like again the DB is running for last 12 months because it takes too much time to load the results in panels?
note:- my aim was to add a panel using reports and juss display that cached report in dashboard.
2.after we save the report by taking time range picker(yes) and if I wanted to look for the data only for last 3rd month from that 12 months of data, will it sort out to show that results in dashboard from that cached report?

DavidHourani · ‎07-02-2019

Hi @splunkuseradmin,

To answer your first question :
To avoid running the search against the entirety of your data every time you should schedule the search and then use the saved search results to display it. Make sure you include the time field in your report so you can reuse it for question 2.
Reference documentation here : https://docs.splunk.com/Documentation/Splunk/7.3.0/Report/Schedulereports#Schedule_a_report

Now to answer your second question :
Now that you have your results scheduled and saved with the time field you can reuse the search results using the loadjobcommand as @rob_jordan mentioned :

| loadjob savedsearch="admin:search:MySavedSearch"

Let me know if that helps.

Cheers,
David

splunkuseradmin · ‎07-03-2019

thanks for the reply.
was wondering how would i add a time picker in dashboard so i can access the data only for the time(last 4 months) i want not for all 12 months. so yes, keeping in mind" _time > earliest AND _time < latest"

I believe need to change in xml ? below is my xml from the saved report which just display the cached data, what do I need to do if I want to change the dates in between cached 12 months.

ex., | loadjob savedsearch="admin:search:MySavedSearch" | where _time>$time_tok.earliest$ AND _time>$time_tok.latest$

will workout?

testloadjob

<input type="time" token="time_tok" searchWhenChanged="true">
  <label>Select Time</label>
  <default>
    <earliest>-4mon@mon</earliest>
    <latest>@mon</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>|loadjob savedsearch="foo:zoo:boo"| where _time&lt;"$timepicker.latest$" AND _time&gt;"$time_tok.earliest$"</query>
      <sampleRatio>1</sampleRatio>
    <earliest>$time_tok.earliest$</earliest>
    <latest>$time_tok.latest$</latest>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
    <format type="number" field="audio_minutes"></format>
    <format type="number" field="video_minutes"></format>
    <format type="number" field="end_time"></format>
    <format type="number" field="start_time"></format>
  </table>
</panel>

bandit · ‎07-02-2019

Try using a scheduled report and the loadjob command to return your cached base search results then you can pipe into individual stats commands for each panel etc.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

splunkuseradmin · ‎07-03-2019

thanks for replying. I believed this would be the answer but any suggestions for below xml ? for the time range changes in dashbaord for the saved report. where _time >earliest AND _time

need help with saved reports and dashboards

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?