Knowledge Management

How to implement improvisation of dashboard?

Path Finder

Hi All,

I have one dashboard with multiple panels and its taking too much of time to load. I am trying to implement base search and sub search.
I have one doubt in implementing it.
I have the queries with common until index,sourcetype and source....but i need to differentiate in one code assume its transaction id...and all the remaining query seems same.
For ex:
index=xyz  sourcetype="dtc:hsj" tcode="1324"  ----->for few queries

index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" ------>for few queries

And the remaining part is same for all the queries..Is there a way that can i configure tcode in basesearch and used the same in subsearch

Thanks in Advance

Labels (1)
Tags (1)
0 Karma


Hi @vineela,

the best approach is that you could aggregate results in the base search and then display in each panel a subset of data.

Only to explain: 

if you want in a panel count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"

in another count the results of:

     index=xyz  sourcetype="dtc:hsj" tcode="1324"  OR tcode="234" 

and in a third one all the others,

you could put in the basesearch something like this:

index=xyz  sourcetype="dtc:hsj" 
| eval condition=3
| eval condition=case(tcode="1324","1",tcode="1324" OR tcode="234","2")
| stats count BY condition

then in each panel you will be able to filter results (condition=1 or condition=2 or condition=3



0 Karma

Splunk Employee
Splunk Employee

Hi @vineela,

You can create base query without the tcode and then in the panel specific query, you can start your search with

| search tcode="1324" OR tcode="234"

and then append the rest of your queries. 

Alternatively, you can create two base searches with the queries mentioned in the description and use the same for different panels.

Directly define the base searches in the source code of XML below the description field as below:

<search id="base_1">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324"</query>
<search id="base_2">
<query>index=xyz  sourcetype="dtc:hsj" tcode="1324" OR tcode="234"</query>

 Now under the panel, define the queries using the search id as base

<search base="base_1">
<query> | your_query </query>

You can define other panels in similar way using base="base_2"


If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...