I use a lot of SearchSelectLister modules in my dashboard.
Users select values to refine a search.
For example they first select an host, and with this host they select a sourcetype etc...
I have a lot of SearchSelectLister and ConvertToIntention nested and its works well.
My problem is that the first searches take a long time since the search is heavy whereas I would like only all values in a field.
For example my scripts look like:
<module name="SearchSelectLister" layoutPanel="mainSearchControls"> <param name="settingToCreate">setting</param> <param name="searchWhenChanged">True</param> <param name="applyOuterIntentionsToInternalSearch">True</param> <param name="earliest">-1h</param> <param name="latest">now</param> <param name="search">index="infra_storagearea" host=$vsp$ sourcetype=vspLU |dedup LUN| table LUN|sort LUN</param>
Here im looking for all values of a field LUN with a certain host that I got from a previous Select. Im obligated to put earliest=-1h or the search takes more than 30 sec and on a dashboard its too long, but Im not sure to have all values. I would have earliest=4h if possible.
Is this search better? Is there any better way?
index="infra_storagearea" host=$vsp$ sourcetype=vspLU |stats count by LUN| table LUN|sort LUN
Yes you can use lookup tables,which will be faster. Hardcoding them in the advanced xml is much faster but it will require the advanced xml edit everytime new value wil be added.
Yes, Lookup will be the best solution for static values/dropdown list type of values. However, if you have to go with search, the best way is to use "|stats count by LUN | fields - count". Data is automatically sorted by LUN and comes as tabular form using stats.
The solution is to use lookup tables.
You have to configure a scheduled search that runs each day and exports the values you need with an outpoutlookup.
Hence you have to search for
|importlookup File.csv in the SearchSelectLister.
However, if you have to go with search, the best way is to use
|stats count by LUN | fields - count. Data is automatically sorted by LUN and comes as tabular form using stats.