Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to implement improvisation of dashboard?

vineela
Path Finder
‎02-15-2022 01:38 AM

Hi All,

I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search.
I have one doubt in implementing it.
I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same.
For ex:
index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries

index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries

And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch


Thanks in Advance

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-15-2022 05:09 AM

Hi @vineela,

the best approach is that you could aggregate results in the base search and then display in each panel a subset of data.

Only to explain: 

if you want in a panel count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"

in another count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" 

and in a third one all the others,

you could put in the basesearch something like this:

index=xyz  sourcetype="dtc:hsj" 
| eval condition=3
| eval condition=case(tcode="1324","1",tcode="1324" OR tcode="234","2")
| stats count BY condition

then in each panel you will be able to filter results (condition=1 or condition=2 or condition=3

Ciao.

Giuseppe

0 Karma
Reply

tshah-splunk
Splunk Employee
Splunk Employee
‎02-15-2022 04:12 AM

Hi @vineela,

You can create base query without the tcode and then in the panel specific query, you can start your search with

| search tcode="1324" OR tcode="234"

and then append the rest of your queries. 

Alternatively, you can create two base searches with the queries mentioned in the description and use the same for different panels.

Directly define the base searches in the source code of XML below the description field as below:

<search id="base_1">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324"</query>
</search>
<search id="base_2">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324" OR tcode="234"</query>
</search>

 Now under the panel, define the queries using the search id as base

<row>
  <panel>
    <search base="base_1">
      <query> | your_query </query>
    </search>
  </panel>
</row>

You can define other panels in similar way using base="base_2"

 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top