Knowledge Management

How to implement improvisation of dashboard?

vineela
Path Finder

Hi All,

I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search.
I have one doubt in implementing it.
I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same.
For ex:
index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries

index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries

And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch


Thanks in Advance

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vineela,

the best approach is that you could aggregate results in the base search and then display in each panel a subset of data.

Only to explain: 

if you want in a panel count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"

in another count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" 

and in a third one all the others,

you could put in the basesearch something like this:

index=xyz  sourcetype="dtc:hsj" 
| eval condition=3
| eval condition=case(tcode="1324","1",tcode="1324" OR tcode="234","2")
| stats count BY condition

then in each panel you will be able to filter results (condition=1 or condition=2 or condition=3

Ciao.

Giuseppe

0 Karma

tshah-splunk
Splunk Employee
Splunk Employee

Hi @vineela,

You can create base query without the tcode and then in the panel specific query, you can start your search with

| search tcode="1324" OR tcode="234"

and then append the rest of your queries. 

Alternatively, you can create two base searches with the queries mentioned in the description and use the same for different panels.

Directly define the base searches in the source code of XML below the description field as below:

<search id="base_1">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324"</query>
</search>
<search id="base_2">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324" OR tcode="234"</query>
</search>

 Now under the panel, define the queries using the search id as base

<row>
<panel>
<search base="base_1">
<query> | your_query </query>
</search>
</panel>
</row>

You can define other panels in similar way using base="base_2"

 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...