Knowledge Management

How to implement improvisation of dashboard?

vineela
Explorer

Hi All,

I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search.
I have one doubt in implementing it.
I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same.
For ex:
index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries

index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries

And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch


Thanks in Advance

Labels (1)
Tags (1)
0 Karma

gcusello
Legend

Hi @vineela,

the best approach is that you could aggregate results in the base search and then display in each panel a subset of data.

Only to explain: 

if you want in a panel count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"

in another count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" 

and in a third one all the others,

you could put in the basesearch something like this:

index=xyz  sourcetype="dtc:hsj" 
| eval condition=3
| eval condition=case(tcode="1324","1",tcode="1324" OR tcode="234","2")
| stats count BY condition

then in each panel you will be able to filter results (condition=1 or condition=2 or condition=3

Ciao.

Giuseppe

0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

Hi @vineela,

You can create base query without the tcode and then in the panel specific query, you can start your search with

| search tcode="1324" OR tcode="234"

and then append the rest of your queries. 

Alternatively, you can create two base searches with the queries mentioned in the description and use the same for different panels.

Directly define the base searches in the source code of XML below the description field as below:

<search id="base_1">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324"</query>
</search>
<search id="base_2">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324" OR tcode="234"</query>
</search>

 Now under the panel, define the queries using the search id as base

<row>
<panel>
<search base="base_1">
<query> | your_query </query>
</search>
</panel>
</row>

You can define other panels in similar way using base="base_2"

 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...