Knowledge Management

How to implement improvisation of dashboard?

Path Finder

Hi All,

I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search.
I have one doubt in implementing it.
I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same.
For ex:
index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries

index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries

And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch

Thanks in Advance

Labels (1)
Tags (1)
0 Karma


Hi @vineela,

the best approach is that you could aggregate results in the base search and then display in each panel a subset of data.

Only to explain: 

if you want in a panel count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"

in another count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" 

and in a third one all the others,

you could put in the basesearch something like this:

index=xyz  sourcetype="dtc:hsj" 
| eval condition=3
| eval condition=case(tcode="1324","1",tcode="1324" OR tcode="234","2")
| stats count BY condition

then in each panel you will be able to filter results (condition=1 or condition=2 or condition=3



0 Karma

Splunk Employee
Splunk Employee

Hi @vineela,

You can create base query without the tcode and then in the panel specific query, you can start your search with

| search tcode="1324" OR tcode="234"

and then append the rest of your queries. 

Alternatively, you can create two base searches with the queries mentioned in the description and use the same for different panels.

Directly define the base searches in the source code of XML below the description field as below:

<search id="base_1">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324"</query>
<search id="base_2">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324" OR tcode="234"</query>

 Now under the panel, define the queries using the search id as base

<search base="base_1">
<query> | your_query </query>

You can define other panels in similar way using base="base_2"


If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...