Monitoring Splunk

[Performance] Fastest way to get a list of all values for a field

timmalos
Communicator

Hi.
I use a lot of SearchSelectLister modules in my dashboard.
Users select values to refine a search.
For example they first select an host, and with this host they select a sourcetype etc...
I have a lot of SearchSelectLister and ConvertToIntention nested and its works well.

My problem is that the first searches take a long time since the search is heavy whereas I would like only all values in a field.

For example my scripts look like:

<module name="SearchSelectLister" layoutPanel="mainSearchControls">
    <param name="settingToCreate">setting</param>
    <param name="searchWhenChanged">True</param>
    <param name="applyOuterIntentionsToInternalSearch">True</param>
    <param name="earliest">-1h</param>
    <param name="latest">now</param>
    <param name="search">index="infra_storagearea" host=$vsp$ sourcetype=vspLU |dedup LUN| table LUN|sort LUN</param>

Here im looking for all values of a field LUN with a certain host that I got from a previous Select. Im obligated to put earliest=-1h or the search takes more than 30 sec and on a dashboard its too long, but Im not sure to have all values. I would have earliest=4h if possible.

Is this search better? Is there any better way?

index="infra_storagearea" host=$vsp$ sourcetype=vspLU |stats count by LUN| table LUN|sort LUN
0 Karma
1 Solution

timmalos
Communicator

The solution is to use lookup tables.
You have to configure a scheduled search that runs each day and exports the values you need with an outpoutlookup.

Hence you have to search for |importlookup File.csv in the SearchSelectLister.

However, if you have to go with search, the best way is to use |stats count by LUN | fields - count. Data is automatically sorted by LUN and comes as tabular form using stats.

View solution in original post

0 Karma

timmalos
Communicator

The solution is to use lookup tables.
You have to configure a scheduled search that runs each day and exports the values you need with an outpoutlookup.

Hence you have to search for |importlookup File.csv in the SearchSelectLister.

However, if you have to go with search, the best way is to use |stats count by LUN | fields - count. Data is automatically sorted by LUN and comes as tabular form using stats.

0 Karma

somesoni2
Revered Legend

Yes, Lookup will be the best solution for static values/dropdown list type of values. However, if you have to go with search, the best way is to use "|stats count by LUN | fields - count". Data is automatically sorted by LUN and comes as tabular form using stats.

adityapavan18
Contributor

Yes you can use lookup tables,which will be faster. Hardcoding them in the advanced xml is much faster but it will require the advanced xml edit everytime new value wil be added.

0 Karma

timmalos
Communicator

Maybe 'll use some lookups tables, seems for me the best solution for this case.

0 Karma
Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...