Monitoring Splunk
Highlighted

[Performance] Fastest way to get a list of all values for a field

Communicator

Hi.
I use a lot of SearchSelectLister modules in my dashboard.
Users select values to refine a search.
For example they first select an host, and with this host they select a sourcetype etc...
I have a lot of SearchSelectLister and ConvertToIntention nested and its works well.

My problem is that the first searches take a long time since the search is heavy whereas I would like only all values in a field.

For example my scripts look like:

<module name="SearchSelectLister" layoutPanel="mainSearchControls">
    <param name="settingToCreate">setting</param>
    <param name="searchWhenChanged">True</param>
    <param name="applyOuterIntentionsToInternalSearch">True</param>
    <param name="earliest">-1h</param>
    <param name="latest">now</param>
    <param name="search">index="infra_storagearea" host=$vsp$ sourcetype=vspLU |dedup LUN| table LUN|sort LUN</param>

Here im looking for all values of a field LUN with a certain host that I got from a previous Select. Im obligated to put earliest=-1h or the search takes more than 30 sec and on a dashboard its too long, but Im not sure to have all values. I would have earliest=4h if possible.

Is this search better? Is there any better way?

index="infra_storagearea" host=$vsp$ sourcetype=vspLU |stats count by LUN| table LUN|sort LUN
0 Karma
Highlighted

Re: [Performance] Fastest way to get a list of all values for a field

Communicator

Maybe 'll use some lookups tables, seems for me the best solution for this case.

0 Karma
Highlighted

Re: [Performance] Fastest way to get a list of all values for a field

Contributor

Yes you can use lookup tables,which will be faster. Hardcoding them in the advanced xml is much faster but it will require the advanced xml edit everytime new value wil be added.

0 Karma
Highlighted

Re: [Performance] Fastest way to get a list of all values for a field

SplunkTrust
SplunkTrust

Yes, Lookup will be the best solution for static values/dropdown list type of values. However, if you have to go with search, the best way is to use "|stats count by LUN | fields - count". Data is automatically sorted by LUN and comes as tabular form using stats.

Highlighted

Re: [Performance] Fastest way to get a list of all values for a field

Communicator

The solution is to use lookup tables.
You have to configure a scheduled search that runs each day and exports the values you need with an outpoutlookup.

Hence you have to search for |importlookup File.csv in the SearchSelectLister.

However, if you have to go with search, the best way is to use |stats count by LUN | fields - count. Data is automatically sorted by LUN and comes as tabular form using stats.

View solution in original post

0 Karma